The Health Law Section (“HLS”) website has been updated with January through April 2018 articles on significant developments in the health law arena that may be of interest to you in your practice. These summaries are presented to HLS members for general information only and do not constitute legal advice from The Florida Bar or its Health Law Section. HLS thanks the following volunteers who have generously donated their time to prepare these summaries for our members:
- Trish Calhoun, Esq., Carlton Fields
- Jocelyn Ezratty, Esq., Di Pietro Partners, LLP
- Christian Perez Font, Esq., Chief Compliance Officer, OPKO Health, Inc.
- Angelina Gonzalez, Esq., Panza, Maurer & Maynard, P.A.
- Jan Gorrie, Esq., Of Counsel, Panza, Maurer & Maynard, P.A.
- Caycee Hampton Esq., Carlton Fields
- Jeanne E. Helton, Esq., Smith, Hulsey & Busey
- Anne Kelley, J.D. Candidate, University of Florida
- Michael D. Lessne, Esq., Broad and Cassel, LLP
- Erica Mallon, Esq., Carlton Fields
- Juan Carlos (“JC”) Palacio, Esq., CHC, Associate Director, Health Information Privacy, Jackson Health System
- Danielle Scheer, MPH, CPH, J.D. Candidate, University of Florida
- Paul Thompson, Esq., MPH, Contract Attorney, Raymond James Financial, Inc.
- Timothy S. Wombles, Esq., Broad and Cassel, LLP
Thank you,
Jamie Gelfman, Esq., Broad and Cassel LLP, HLS Editor in Chief
Trish Huie, Esq., Patricia A. Huie, PLLC, HLS Team Editor
Ashley Brevda, Oncology Analytics, Inc., HLS Team Editor
Download the Updates at the Following Links
http://www.flabarhls.org/resources-menu/document-library/health-law-updates
ADMINISTRATIVE LAW UPDATES
Challenge to Florida Board of Optometry’s Authority
In November 2016, two out-of-state optometrists (“Petitioners”) challenged the Florida Board of Optometry’s authority to promulgate Rule 64B13-4.001(2), Florida Administrative Code (2015), requiring optometry licensure applicants in Florida to pass all four parts of the National Board of Examiners in Optometry’s (“NBEO”) examination within the seven-year period immediately preceding the filing of the licensure application. The Petitioners argued that the rule’s seven-year “look back” provision was invalid on multiple grounds.
[1] At the conclusion of the administrative hearing, Administrative Law Judge (“ALJ”) Lisa Shearer Nelson issued a Final Order holding that the “look back” provision in the rule was invalid. Yontz & Johnson v. Dep’t of Health, Bd. of Optometry, No. 16-6663RX, 2017 WL 1423480 (Fla. Div. Admin. Hrgs. Apr. 14, 2017) (Final Order). Notably, ALJ Shearer Nelson held that the Petitioners had “demonstrated that the look-back period in the Rule exceeds the Board’s grant of rulemaking authority” since “[t]he plain language of section 463.006(1) contemplates that in every case, the application for licensure would precede taking the examination.” Yontz, 2017 WL 1423480, at 31–32.
When the “look back” period in the Rule was invalidated it not only prevented out-of-state providers from using their existing NBEO exam scores to apply for licensure in Florida, but it also prevented any student within the United States applying for optometry licensure in Florida from using passing NBEO exam scores attained while completing optometry school. The Yontz decision and Section 463.006(1)(b)(2), Florida Statutes, prohibited students from sitting for licensure examination prior to graduation.[2] This situation presented a significant problem for optometry students across the country who wished to apply for licensure in Florida since many optometry schools require students to take Parts I and, in some cases, Part II of the NBEO exam as a graduation requirement. Therefore, any student that had already taken and passed any part of the NBEO exam before applying for licensure would have to retake the examination after submitting his or her application. Although the Board of Optometry attempted to correct this situation, the explicit requirement that application for licensure precede examination prevented the Board from correcting this issue without legislative intervention.
During the 2018 legislative session, the Florida House of Representatives put forth a bill, H.B. 7059 (the “Bill”), that incorporates a three-year “look back” period into Section 463.006(3), Florida Statutes.[3] The three-year “look-back” period allows students to submit passing scores attained while in optometry school as part of their licensure application provided they are within the requisite timeframe. Under the new licensure requirements, out-of-state practitioners are also allowed to submit NBEO exam scores that are up to three years old to complete their licensure applications in Florida. Both the House of Representatives and the Senate passed the Bill, which was signed by Governor Rick Scott on March 28, 2018 and took effect upon becoming a law.
Submitted by: Angelina Gonzalez, Esq., Panza, Maurer & Maynard, P.A
Fifth Circuit Reverses Dismissal of Complaint Seeking Injunction to Prevent Medicare Recoupment Prior to Conclusion of Administrative Appeal based on Violation of Procedural Due Process
On March 27, 2018, the Fifth Circuit Court of Appeals in Family Rehabilitation, Inc. v. Alex Azar, II, Sec. U.S. Dept. of Health & Human Services, No. 17-11337, 2018 WL 1478052, at *1 (5th Cir. Mar. 27, 2018), reversed the decision of a Northern Texas district court, thereby permitting a plaintiff home health agency to proceed with a complaint seeking a temporary restraining order and injunction against recoupment of more than $7.6 million in Medicare overpayments pending the completion of the plaintiff’s administrative appeal.
The district court had sua sponte dismissed the case for lack of subject matter jurisdiction because the plaintiff’s hearing before an Administrative Law Judge (“ALJ”) was pending and the plaintiff had accordingly not yet exhausted its administrative remedies. See 42 U.S.C. § 405(g) and (h). In reversing, the Fifth Circuit recognized that the plaintiff’s ultra vires claims and its claims based on the government’s violation of its procedural due process established jurisdiction under the “collateral-claim” exception to the channeling requirements of 42 U.S.C. § 405. Under the exception, first recognized in Mathews v. Eldridge, 424 U.S. 319 (1976), a court may have jurisdiction over claims (a) that are “entirely collateral” to a substantive agency decision and (b) for which full relief cannot be obtained at a post-deprivation hearing.
Since the plaintiff sought only to have recoupment suspended until a hearing, and because it raised claims that were unrelated to the merits of the recoupment, the Fifth Circuit determined that the plaintiff’s claims were collateral. Additionally, since the plaintiff alleged that it would go out of business if recoupment continued before the ALJ hearing, the Fifth Circuit determined that there would be irreparable injury to the plaintiff. Accordingly, the Fifth Circuit held that it had jurisdiction to hear the procedural due process and ultra vires claims. The Fifth Circuit dismissed two other avenues to jurisdiction sought by the plaintiff: first determining that there was no jurisdiction under 28 U.S.C. § 1331 because of futility, and second determining that there was no basis for mandamus jurisdiction because the plaintiff did not request that the government provide it with a timely ALJ hearing.
This case may leave the door open for healthcare providers/suppliers who may be put out of business by Medicare recoupment as they await a three- to five-year ALJ hearing through a constitutional procedural due process challenge and by seeking mandamus. The Eleventh Circuit, in In re Bayou Shores SNF, LLC, 828 F.3d 1297 (11th Cir. 2016), cert. denied sub nom. 137 S. Ct. 2214 (2017), held that the bankruptcy court lacked subject matter jurisdiction to enjoin the termination of the debtor skilled nursing facility’s provider agreement because the debtor had not exhausted its administrative remedies. However, the Eleventh Circuit did not consider the collateral claims exception and declined to consider mandamus jurisdiction. Seeking temporary relief and a timely ALJ hearing may be sufficient to impart jurisdiction on the district court while the healthcare business awaits adjudication through the administrative process that the Fifth Circuit in Family Rehabilitation described as a “harrowing labyrinth.”
Submitted by: Michael D. Lessne, Esq., Broad and Cassel, LLP
ANTITRUST UPDATES
Consideration of Efficiencies in Antitrust Merger Analysis under § 7 of the Clayton Act
The core mission of antitrust law is to protect the consumers’ rights to low prices, innovation, and diverse production through competition.[4] The Clayton Act is “the principal federal substantive law governing mergers, acquisitions, and joint ventures.”[5] Section 7[6] prohibits mergers and acquisitions where the effect “may be substantially to lessen competition, or to tend to create a monopoly.”[7]
Circuit Courts are split on whether an efficiency defense may be considered in merger cases. The leading case on the efficiency defense is FTC v. Proctor & Gamble Co.[8], in which the Supreme Court wrote that “[p]ossible economies cannot be used as a defense to illegality. Congress was aware that some mergers which lessen competition also may result in economies, but it struck the balance in favor of protecting competition.”[9]
Support for the position that efficiencies should not be considered in determining if a merger may substantially lessen competition under Section 7 include FTC v. Penn State Hershey Medical Center[10], and Saint Alphonsus Medical Center-Nampa, Inc. v. St. Luke’s Health System, Ltd.[11] Other circuits have ruled to the contrary, and opinions from the 8th, 11th, 6th, and D.C. Circuits have allowed consideration of efficiencies in merger cases.[12]
The Justice Department’s 1982 Merger Guidelines recognized a very narrow efficiency defense, which was preserved in the 1992 Guidelines and expanded in the 1997 revisions.[13] In addition to the 6th, 8th, 11th, and D.C. Circuits and Merger Guidelines, multiple lower courts have held there is some possibility of using efficiencies as a defense, though no court has approved an otherwise illegal merger solely because of efficiencies.[14] Efficiencies presented by defendants must be based on a substantial amount of evidence, must be “cognizable,” and they must be “merger-specific.”[15]
The recent U.S. Supreme Court case of Anthem, Inc. v. United States, fails to clarify if an efficiency defense may be considered in merger cases.[16] The main legal issue presented on petition for a writ of certiorari was whether the Supreme Court’s decision in FTC v. Procter & Gamble Co.[17] foreclosed consideration of efficiencies in a merger analysis.[18]
Anthem contended that “any anticompetitive effects will be outweighed by the efficiencies it will generate.”[19] Anthem argued that the merger would result in cost savings by providing Cigna’s “highly regarded value based products” at the lower prices negotiated by Anthem.[20]
The D.C. District Court Judge found that the cost savings are not recognized as efficiencies since they (1) are not merger-specific, (2) are not verifiable, and (3) may not be “efficiencies” at all.[21] The court distinguished between competition and consumer welfare, and noted that no court has held that “a potential general benefit to consumers at the end of the day can negate competitive harm.”[22]
Anthem was unable to demonstrate that “its plan [was] achievable or that it [would] benefit consumers as advertised,”[23] nor that their offerings to consumers would be anything other than preexisting products (as opposed to a Cigna product at Anthem rates, which would be a merger-specific offering).[24]
When considered by the D.C. Circuit Court, the majority held that Proctor & Gamble did foreclose considering efficiencies, siding with the Third and Ninth Circuits.[25] The dissent disagreed, concluding that United States v. General Dynamics Corp.[26] required a comprehensive consideration of relevant competitive factors including efficiencies, siding with the Eighth and Eleventh Circuits.[27] The circuit split stands to this day, as the petition for certiorari by Anthem, Inc. was denied by the Supreme Court.[28]
While future litigation should not avoid an efficiencies defense, lawyers should not rely on efficiencies to save an otherwise unlawful merger.
Submitted by: Danielle Scheer, MPH, CPH, J.D. Candidate, University of Florida
COMPLIANCE UPDATES
OIG Audits the Accuracy of Hospital Credit Reporting in Claims
In March 2018, the U.S. Office of the Inspector General (“OIG”) filed a report identifying 210 hospitals for which Medicare potentially overpaid approximately $4.4 million. The OIG’s audit reviewed claims spanning from 2008 through 2013. The basis of the review was the OIG’s belief that hospitals failed to accurately report manufacturer credits for its surgical equipment. For purposes of this audit, the OIG reviewed hospital claims submitted for federal benefits payments for device intensive procedures. Specifically, this OIG audit related to five cardiac medical devices that were recalled or that otherwise had high failure rates.
Hospitals or other health care providers often receive manufacturer credits (or reduced payment rates) for medical devices because of device recalls or high failure rates. According to the Social Security Act regulations, hospitals must report certain credits received by manufacturers by using claim modifiers or by inclusion of condition or value codes. Submitting claims with the appropriate modifiers, or condition or value codes, reduces reimbursements from government payors for these medical procedures. Often, credits received from medical device companies are greater than a 50% cost reduction that the hospital otherwise would have had to pay.
Rather than recommending enforcement actions, the OIG recommends that the Center for Medicare and Medicare Services (“CMS”) instruct these hospitals to submit self-reports in accordance with the 60-day rule implemented in 2016. The purpose of the 60-day rule is to allow health care providers to report and return discovered identified overpayments without additional penalties.
CMS will have the final say on how to proceed with the overpayments on these claims. Still, with potential overpayments in the range of $4.4 million, expect CMS to take actions to recoup these overpayments.
Interestingly, the OIG also recommended altering the compliance requirements by doing away with device credit reporting. Until this happens, hospitals and other providers that use and bill for costly surgical equipment, as well as other medical equipment, should be mindful of applying these modifiers to their claims.
The OIG Press Release can be found here: https://oig.hhs.gov/oas/reports/region5/51600059.asp. The full OIG audit report is available at: https://oig.hhs.gov/oas/reports/region5/51600059.pdf. For more information on the 60-day rule, the final rule can be found here: https://www.federalregister.gov/documents/2016/02/12/2016-02789/medicare-program-reporting-and-returning-of-overpayments.
Submitted by: Jocelyn E. Ezratty, Esq., Di Pietro Partners LLP
FRAUD AND ABUSE UPDATES
Florida Ophthalmologist Sentenced to 17 Years for Medicare Fraud
On February 22, 2018, Florida ophthalmologist Dr. Salomon Melgen was sentenced to 17 years in prison after a federal jury in West Palm Beach found him guilty of healthcare fraud.
According to the initial indictment in the case, Dr. Melgen was a retina specialist who commonly treated conditions and diseases of the retina, including macular degeneration. Dr. Melgen was an approved Medicare service provider, and a substantial portion of his high-volume medical practice was composed of elderly Medicare beneficiaries. The Government accused Dr. Melgen of falsely diagnosing patients with age-related macular degeneration and submitting claims to Medicare and other healthcare benefit programs based on false entries in patient medical charts. Dr. Melgen was also accused of falsely diagnosing patients with other retinal disorders, causing them to return to his clinic on a regular basis for medically unreasonable and unnecessary diagnostic tests.
The Government found Dr. Melgen fraudulently billed Medicare more than $73 million. On April 28, 2017, after a two-month trial, a jury found Dr. Melgen guilty of all 67 counts of healthcare fraud.
In a sentencing order entered on February 21, 2018, U.S. District Judge Kenneth Marra found that Dr. Melgen’s “medical practice was conducted in a manner where he routinely, and as a matter of standard practice, diagnosed patients with medical conditions they did not have so he could bill for diagnostic procedures and medical services which were not medically necessary or justified.” The court additionally noted that Dr. Melgen was able to perpetrate fraud “because he was a trained physician in whom his patients placed their trust.”
Dr. Melgen’s abuse of patient trust, and his extensive scheme to defraud Medicare, ultimately resulted in a sentence of 204 months’ imprisonment, to be followed by three years of supervised release. The court additionally ordered Dr. Melgen to pay more than $42 million in restitution to Medicare.
United States v. Melgen, No. 9:15-cr-80049-KAM (S.D. Fla. Feb. 21 2018).
Submitted by: Caycee Hampton, Esq., Carlton Fields
Healthcare Providers Empowered by DOJ Memo in Healthcare Fraud Actions
Federal agencies, including the Centers for Medicare and Medicaid Services (“CMS”), routinely issue guidance documents applicable to regulated healthcare providers that are subsequently treated as binding on such providers, despite the absence of a notice and comment rulemaking process. The issuing agencies often allege violations of a statute or regulation, such as the Anti-Kickback Statute[29] or False Claims Act,[30] when a provider has violated a related guidance document. Providers have long expressed concern that reliance on such guidance documents, when the underlying statute or regulation lacks clarity, is an unfair expansion of an agency’s regulatory authority.
A January 2018 memorandum (the “Memo”) from United States Department of Justice (“DOJ”) Associate Attorney General Rachel Brand will impact the DOJ’s ability to utilize such guidance documents in healthcare fraud civil enforcement actions. The Memo indicated that providers are not bound to comply with guidance documents, unless such standards are set forth in binding laws or regulations. While guidance documents cannot be construed as binding, or as proof that a provider broke the law, they can be used as proof that the accused had knowledge of the regulation or law prior to committing the violation.
This Memo provides a reprieve to providers, limiting the types of documents the DOJ can rely upon as evidence of a regulatory violation. The inability to use regulatory guidance as proof of a violation also gives providers greater latitude for arguing the requirements set forth in laws and regulations. Further, a provider may still utilize guidance documents to his or her advantage by arguing that he or she relied upon the guidance document for regulatory compliance; however, the DOJ may not use such document to argue a regulatory violation.
This change empowers entities and providers to push back against regulatory enforcement actions brought in reliance upon guidance documents. Hopefully the DOJ’s Memo will result in an increased effort to enact laws and regulations that are clear on their face.
Submitted by: Erica Mallon, Esq., Carlton Fields
Middle District Continues to Refine the Application of Standards Set Forth in Escobar
On January 11, 2018, the Chief Judge in the Middle District of Florida overturned a large jury verdict against a nursing home system operating in Florida. Overturning a jury verdict is relatively rare and the decision is getting a lot of attention.
In United States ex rel. Ruckh v. Salus Rehabilitation Services, LLC, No. 8:11-cv-1303-T-23TBM, 2018 WL 375720 (M.D. Fla. Jan. 11, 2018), the United States District Court of the Middle District of Florida vacated an almost $350 million verdict against the owners and operators of fifty-three specialized nursing facilities due to the relators’ failure to satisfy the “rigorous and demanding” materiality requirement established by the landmark Supreme Court case, Universal Health Services v. Escobar, 136 S.Ct. 1989 (2016).
The relator asserted that the nursing facilities’ failure to maintain comprehensive care plans coupled with “a handful of paperwork defects” when filing the Medicaid and Medicare claims made the claims false. However, the relator offered no meaningful or competent proof that the government would have regarded these practices as material to the government’s decision to pay the defendants or lead to the government’s refusal to pay. The relator must demonstrate the defendant’s “knowledge” that the government perceives and has treated the alleged regulatory non-compliance and corresponding claims as material to the government’s payment decision.
The Ruckh decision also focuses in on the “knowledge/scienter” requirement as it relates to the materiality standard. The Court held that the “False Claims Act requires the relator to prove . . . that the defendant knew at the moment the defendant sought payment that the non-compliance was material to the government’s payment decision.”
The Court concluded that through continued full payment for these services despite knowledge of disputed practices, non-compliance, or a claimed defect, the government had “work[ed] itself into a steadily tightening bind . . . of prov[ing] that the government would not do exactly what history demonstrates the government in fact did.” The Court ultimately found the “relator’s claims [to be] fatally ensnarled in that intractable bind.” As a result, the Court granted the nursing facilities’ judgment as a matter of law, vacating the jury rendered judgment.
Based on the Salus decision, relators and their counsel will now need to evaluate whether a provider’s non-compliance would be “material” enough to consider the claim “false” and whether the requisite scienter requirement can be demonstrated. For instance, if a provider does not fully comply with HIPAA, but provided the services, is this non-compliance “material” to payment? What if direct supervision of a service is required but the provider only met the standard for “general” supervision? The Salus decision may provide some defendants with a good defense.
Submitted by: Jeanne E. Helton, Esq., Smith, Hulsey & Busey
Q1/2018: An Active month for Healthcare Fraud Enforcement in Florida
Healthcare fraud and abuse enforcement in Florida continues to trend upwards. During the first three months of 2018, the U.S. Department of Justice (“DOJ”) announced several actions involving Florida defendants. The first action announced in mid-January 2018 involved a kickback scheme by a central Florida pharmacy, a medical doctor and a patient recruiter that resulted in the payment of approximately $4.3MM in false and fraudulent claims to TRICARE. All three defendants were found guilty and convicted after a five-day trial. In another action in late February 2018, a Miami man was convicted and ordered to pay over $9MM in restitution for his role in a $63 million kickback scheme involving a now-defunct Miami-Dade facility that provided partial hospitalization program (“PHP”) services to individuals suffering from mental illness. According to the DOJ press release, the defendant knowingly referred Medicare beneficiaries from the Miami-Dade state court system (some of which were not even mentally ill) to this facility in exchange for kickbacks. Eleven other individuals have also pleaded guilty and have been sentenced, including the owner of the now-defunct facility. On February 23, 2018, the DOJ filed a complaint in intervention against a compounding pharmacy located in Pompano Beach, alleging that the pharmacy was involved in a kickback scheme to induce prescriptions of drugs reimbursed by TRICARE. That case is still pending. On February 28, 2018, the owner and operator of 20 home health agencies in Miami-Dade County was sentenced to 240 months in prison for his role in a $66MM conspiracy to defraud Medicare. According to the DOJ press release, the defendant and other co-conspirators paid kickbacks for patient referrals and submitted false claims to Medicare for services that were never performed. More recently, on March 14, 2018 three Miami home health agency owners were indicted for their alleged participation in a healthcare fraud scheme involving a now-defunct home health agency in Miami. According to the DOJ press release, the defendants conspired with the owners and operators of several home health therapy staffing companies and others to bill Medicare for services that were either medically unnecessary, not eligible for Medicare reimbursement, or which were never provided. That case is also still pending.
Copies of the DOJ’s press releases referenced in this update are available at: https://www.justice.gov/news?f%5B0%5D=field_pr_topic%3A3936
Submitted by: Christian Pérez Font, Esq.
PRIVACY AND SECURITY UPDATES
EU’s New Privacy Law, the GDPR – The Bar is Set High
On May 25, 2018, the European Union’s (“EU”) General Data Protection Regulation (“GDPR”)[31] will take effect. The goal of the GDPR is to protect individuals’ “fundamental right” to the processing[32] of their personal data.[33] The regulation aims to achieve this goal by establishing protections for the privacy and security of personal data of individuals in the EU. Considering how far-reaching, comprehensive and potentially punitive the GDPR will be, U.S.-based healthcare organizations need to understand if it applies to them, the implications for their operations and privacy practices, and potential liability for failing to comply.
The GDPR will directly[34] apply to a healthcare organization if the organization: (i) has an establishment[35] in the EU[36]; (ii) monitors the behavior of individuals whose behavior takes place in the EU, or profiles individuals who are in the EU[37]; or (iii) offers goods (e.g., medical supplies, software, pharmaceuticals) or services (e.g., diagnostic studies, marketing to recruit individuals in the EU to be patients at a US facility, sponsoring a clinical study) to individuals in the EU.[38] These extra-territorial aspects to the GDPR make it far-reaching, which is why U.S.-based healthcare organizations should be aware of this regulation and familiar with its comprehensive components.
For instance, the GDPR creates rights for individuals in the EU, such as right of access[39], recertification[40] (amendment), right to erasure[41] (right to be forgotten), and to restrict the use of personal data.[42] The GDPR also dictates the circumstances in which processing of personal data is permitted. The GDPR requires healthcare organizations processing personal data to implement appropriate technical and organizational security measures (e.g., encrypting the personal data and ability to restore data).[43] Moreover, the GDPR has several notification requirements. These requirements include notifying an individual if their information has been amended or erased[44] and notification (generally within 72 hours) to data protection authorities[45] and affected individuals[46] in the event of the occurrence of a “personal data breach.”[47]
U.S. based healthcare organizations may find themselves in a uniquely challenging situation under the GDRP because of the high volumes of sensitive health related personal data they may process. Health data, specifically “data concerning health”[48], “genetic data”[49] and “biometric data”[50], is considered sensitive. The GDRP establishes higher protection standards for health data and prohibits processing this type of data unless several conditions[51] apply. Keeping in mind that the regulation is not yet active, guidance[52] indicates that failure to comply with the GDPR can result in significant penalties—the maximum monetary penalty can be €20,000,000.00 or 4% of an organization’s global annual turnover, whichever is greater. As a point of reference, the largest HIPAA settlements to date have been around $5.5 million.[53]
Considering a penalty for a breach under the GDPR can be significant, healthcare organizations should take proactive steps to review their operations, determine if the GDPR applies to them, and, if it does, create a data protection program to comply with its comprehensive components.
Submitted by: Juan Carlos (“JC”) Palacio, Esq., CHC, Associate Director, Health Information Privacy, Jackson Health System
HIPAA – Lessons to Learn from the Fresenius Settlement
In an industry overrun with news of almost daily privacy breaches, what makes the Fresenius settlement especially newsworthy is the size of the fine compared to the size and type of the breaches involved.
On February 1, 2018, it was announced that Fresenius Medical Care North America (Fresenius) agreed to pay $3.5 million and entered into a comprehensive corrective action plan for potential violations of the Health Insurance Portability and Accountability Act (“HIPAA”). Fresenius, a large network of dialysis facilities, cardiac and vascular labs and urgent care centers, reported five relatively small breaches based on the theft of equipment at five different facilities involving the protected information of a combined total of 521 patients.
So, how did the robbery of five different facilities end up costing Fresenius $3.5 million?
The fact that all five incidents occurred during one calendar year within a large organization was a factor. In addition, the Office for Civil Rights (“OCR”) took a hard look at Fresenius’ HIPAA privacy and security policies. OCR also focused on the fact that three of the stolen devices were not encrypted.
HIPAA lessons to be learned as a result of this settlement:
- 1. Enterprise-wide risk assessment. If your facility is part of a larger whole, it is time to ensure that there are overall HIPAA policies and that you perform an enterprise-wide HIPAA risk assessment.
- 2. Policies. Review your policies to ensure that they are up-to-date and all-inclusive. Check to see if there is a policy dealing with movement of Protected Health Information (“PHI”) and electronic devices in and out of the facility; a policy that addresses environmental and operational changes that affect PHI; a policy regarding physical safety and the threat of theft; a policy regarding encryption; and a policy addressing security incidents. (Interestingly, one Fresenius facility was cited for failing to implement polices to address security incidents even though a security incident was not involved in the breach.)
- 3. Encryption. Review the implementation of encryption at your facility. The OCR seemingly expects all mobile devices housing PHI to be encrypted. HIPAA privacy and security officers should review and update their plans accordingly.
Submitted by: Trish Calhoun, Esq., Carlton Fields
LEGISLATIVE UPDATES
2018 Legislative Session – Health Law Matters
Every legislative session has its own personality, but in 30 years of lobbying – nothing quite compares to 2018. The session began with scandals and ended in tragedy. Typically, 10% of the bills introduced pass. This year only 200 of the 3,250 bills (roughly 6%) passed both Chambers, and only a handful of the 200 bills that passed were health bills.
House Bill 21. House Bill 21, by Rep. Jim Boyd and Sen. Lizbeth Benaquisto, addressed the opioid crisis. The comprehensive legislation limits prescriptions of opioids to a three-day supply unless a physician denotes that a medically necessary seven-day prescription is required; directs the Florida Department of Health (“DOH”) to establish guidelines for prescribing controlled substances and stipulates that practitioners who fail to follow the guidelines will be subject to discipline; requires all prescribers to complete a two-hour controlled substance continuing education course; and proposes changes to the prescription drug monitoring program. The legislation becomes effective June 1, 2018, with certain provisions taking effect January 1, 2019.
House Bill 37. Direct primary care House Bill 37, by Rep. Danny Burgess and Sen. Tom Lee, passed creating a primary care medical practice model that allows practitioners to establish contractual relationships with patients for defined services. If approved by the Governor, the effective date is July 1, 2018.
Senate Bill 510. Senate Bill 510, by Sen. Dana Young and Rep. Mary Lynn Magar, requires adverse incident reporting at birthing centers effective March 19, 2018.
House Bill 551. House Bill 551, by Rep. Colleen Burton and Sen. Dana Young, provides a public record exemption for certain health care facility building plans received by the Agency for Health Care Administration, which would be effective upon approval by the Governor.
Senate Bill 622. Senate Bill 622, by Sen. Denise Grimsley and Rep. Clay Yarborough, revises numerous provisions relating to health care facility regulations, which becomes effective July 1, 2018.
House Bill 675. House Bill 675, by Rep. Jason Brodeur and Sen. Kelli Stargel, establishes Class III institutional pharmacies, which allows hospitals to move drugs from one location to another within their system.
House Bill 735. House Bill 735, by Rep. Gayle Harrell and Sen. Denise Grimsley, requires facilities performing mammograms to report certain findings to patients. These bills, if approved by the Governor, become effective July 1, 2018.
House Bill 937. House Bill 937, by Rep. Jeannette Nunez and Sen. Lauren Book, directs the DOH to establish two toll free perinatal mental health hotlines.
House Bill 1165. Decades of litigation and “trauma drama” may cease if House Bill 1165, by Sen. Dana Young and Rep. Jay Trumbull, is approved by the Governor. The bill reestablishes a Trauma System Advisory Council to compare trauma center standards; creates an objective needs-based formula for the establishment of new trauma centers based on population and caseload at existing trauma centers; and modifies the application process so that a new facility must be approved prior to operating as a trauma center. The bill also grandfathers in all currently, provisionally approved trauma centers.
House Bill 1337. House Bill 1337, by Sen. Jeff Brandes and Rep. Cary Pigman, changes the term “advanced registered nurse practitioner” to “advanced practice registered nurse” throughout the Florida Statutes, including those granting APRNs the same prescribing authority as ARNPs.
House Bill 7099. House Bill 7099 ratifies the nursing home generator rule following the deaths at The Rehabilitation Center at Hollywood Hills in the aftermath of Hurricane Irma. The bill requires all nursing homes to have the ability to maintain 30 square feet per resident at 81 degrees or less for a period of 96 hours and to have fuel on site to power generators for 72 hours. If the Governor approves the bill, the rule will go into effect July 1, 2018. Nursing homes may receive an extension until July 1, 2019 with a showing of good cause.
Senate Bill 7026. Senate Bill 7026, The Marjory Stoneman Douglas High School Public Safety Act, became priority legislation following the unconscionable mass shooting at the Parkland, Florida high school on February 14, 2018. The legislation, effective March 9, 2018, prohibits people who have been subject to involuntary examination under the Baker Act or who have been declared mentally “defective” from owning or possessing a firearm until a court orders otherwise. The bill authorizes law enforcement officers to seize and hold firearms and ammunition from the person for 24 hours, or longer, if merited. In addition, county school districts may decide whether to participate in the “guardian program” that permits the arming of teachers and other school personnel.
Legislation on the following topics did not pass: allowance of 24-hour ambulatory surgery centers (HB 23/SB 250), creation of 72-hour recovery care centers (HB 23), repeal of certificate of need (HB 27/SB 1492, but note this is the subject of a proposal before the Constitutional Revision Commission), creation of advanced birthing centers (HB 1099/SB 1564), implementation of disaster preparedness and response (HB 7085), creation of patient safety culture surveys (HB 35/SB 1458), development of an infectious disease elimination pilot program (SB 800/HB 579), regulations for telemedicine (SB 280/HB 793), creation of telepharmacy (SB 843/HB 679), adoption of fail-first protocols (SB 98/HB 199), overhaul of personal injury protection (SB 150/HB 19), and allowance of physician fee sharing (HB 425/SB 1862).
Legislation and staff analyses may be found at www.flsenate.gov and www.myfloridahouse.gov.
Submitted by: Jan Gorrie, Esq., Of Counsel, Panza, Maurer & Maynard, P.A.
LICENSING & SCOPE OF PRACTICE UPDATES
Governor Rick Scott Signs House Bill 21 (HB 21), Imposing New Requirements and Restrictions on Prescribing Controlled Substances in Florida
On March 19, 2018, Governor Rick Scott signed into law House Bill 21 (HB 21), which will impose greater constraints and oversight over the prescribing of controlled substances in Florida. The newly enacted law, which becomes effective June 1, 2018, with certain provisions taking effect January 1, 2019, creates Section 456.0301, Florida Statutes, and will require certain health care practitioners to enroll into, and complete, a board-approved (e.g. Board of Medicine, Board of Nursing) continuing education course to continue prescribing controlled substances. The law also amends and expands already existing Florida statutes, imposing new licensing requirements and greater restraints on prescribing controlled substances, such as certification requirements, new disciplinary actions, new definitions, new requirements for use of the prescription drug monitoring program and other electronic medical systems, as well as requiring certain agencies to create and adopt rules for prescribing controlled substances.
One of the primary goals of the bill was to combat Florida’s ongoing opioid epidemic. As a result, one of the most publicized portions of this bill is the amendment of Section 465.0276, Florida Statutes, which will limit prescribing opioids, and certain other controlled substances, to only a three-day supply; with an extended seven-day supply if certain conditions met. For the full text of the law please click the link below.
Source: http://laws.flrules.org/files/Ch_2018_013.pdf
Submitted by: Paul Thompson, Esq., MPH, Contract Attorney, Raymond James Financial, Inc.
REGULATORY UPDATES
Department of Justice Raises Penalties for False Claim and Anti-Kickback Violations
On January 29, 2018, the United States Department of Justice (“DOJ”) increased the per-claim range of civil monetary penalties under the federal False Claims Act (31 U.S.C. § 3729 et seq.) (“FCA”) in accordance with a statutory requirement issued under the Bipartisan Budget Act of 2015, Public Law 114–74. Simultaneously, the DOJ increased the per-claim civil monetary penalties for federal Anti-Kickback Statute (42 U.S.C. § 1320a-7b et seq.) (“AKS”) violations.
Section 701 of the Bipartisan Budget Act of 2015, entitled the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, revised federal requirements for civil monetary penalties by federal agencies. Section 701 of the Balanced Budget Act of 2015 required federal agencies to adjust civil monetary penalties each year on January 15 to account for inflation during the preceding year. The new formula for calculating inflation adjustments to civil monetary penalties drastically increased civil monetary penalties during the first adjustment period in 2016. Prior to this first adjustment in 2016, the civil monetary penalties for AKS and FCA violations remained unchanged since 1996, when they were revised pursuant to the Debt Collection Improvement Act of 1996. In 1996, the per-claim civil monetary penalty for FCA violations was increased to $5,500 to $11,000 per claim and for AKS violations to $11,000 per claim. 64 Fed. Reg. 47099, 47,104 (Aug. 30, 1999).
Civil monetary penalties assessed after January 29, 2018 for AKS violations occurring after November 2, 2015 are now are $22,363 per claim, up from $21,916 per claim. 83 Fed. Reg. 3944, 3945 (Jan. 29, 2018).
Civil monetary penalties assessed after January 29, 2018 for FCA violations occurring after November 2, 2015, now range between $11,181 to $22,363 per claim, up from $10,957 to $21,916 per claim. Id. In addition to the civil monetary penalties, defendants still are subject to damages calculated at treble the amount paid by a governmental program for FCA violations.
Submitted by: Timothy S. Wombles, Esq., Broad and Cassel, LLP
CMS Finalizes Coverage for Next-Generation Sequencing Tests
On March 16, 2018, CMS finalized a national coverage determination (“NCD”) for next generation sequencing (“NGS”) tests in a final decision memo (see “Decision Memo for NGS for Beneficiaries with Advanced Cancer CAG-00450N”). This decision is in response to a formal request to CMS to establish coverage for comprehensive genetic profile testing after the U.S. Food and Drug Administration (“FDA”) approved the FoundationOne CDx (“F1CDx”), a next generation sequencing device, last Fall.
NGS provides detailed information on multiple types of genetic alternations simultaneously, providing comprehensive and clinically actionable information based on the individual genomic profile of each patient’s cancer. Providers believe the technology can help doctors consult with patients about more targeted care and assist in making more informed treatment decisions.
In addition to covering the FDA-approved F1CDx, CMS is covering FDA-approved or cleared companion in-vitro diagnostics when the test has an FDA-approved or cleared indication for use in that patient’s cancer and results are provided to the treating physician. Additional coverage criteria that must be met under the NCD include that the patient: (1) has either recurrent, relapsed, refractory, metastatic, or advanced stages III or IV cancer; (2) has not been previously tested using the same NGS test for the same primary diagnosis of cancer; (3) and that the patient has decided to seek further cancer treatment (e.g., therapeutic chemotherapy).
Submitted by: Anne L. Kelley, J.D. Candidate, University of Florida
FDA Proposes Rule to Lower Nicotine in Cigarettes
On March 16, 2018, the Food and Drug Administration (“FDA”) issued an advance notice of proposed rulemaking (“ANPRM”) to obtain information for consideration in developing a tobacco product standard setting the maximum nicotine level for cigarettes (See: https://www.federalregister.gov/documents/2018/03/16/2018-05345/tobacco-product-standard-for-nicotine-level-of-combusted-cigarettes).
The ANPRM summary asserts that tobacco-related harms ultimately result from the addiction to nicotine in cigarette products. As a result of this public health concern, the FDA is considering reducing the level of nicotine in these products to make them minimally addictive or non-addictive. The FDA purports to use the best available science to determine a level that is appropriate for the protection of public health. The FDA states that the scope of products covered by any potential product standard will be one main issue for comment in the ANPRM. The FDA also recognizes that any additional scientific data and research relevant to the empirical basis for regulatory decisions related to a nicotine tobacco product standard will be an issue for comment in the ANPRM as well.
Electronic comments must be submitted on or before on June 14, 2018. Comments received by mail/hand delivery courier must be postmarked on or before that date.
Submitted by: Anne L. Kelley, J.D. Candidate, University of Florida
TRANSACTIONS UPDATES
Need a Lyft? Non-Emergency Medical Transportation Ridesharing: Uber Helpful and Uber Risky
Over three million Americans miss or delay medical appointments each year because of inadequate transportation,[54] and an estimated 25% of patients miss an appointment because of lack of transportation.[55] Ridesharing companies have identified an unmet need and are eager to break into the multi-billion dollar, non-emergency medical transportation (“NEMT”) industry.[56]
As traditional public transit and taxi cab services are fraught with cancellations, delays, and lengthy travel time, ridesharing platforms appear to offer promising solutions to access and continuity of care issues, particularly for vulnerable patient populations with limited resources who often have the greatest need for medical care. Just as ridesharing companies have aimed to fill a need in the market for general transportation, they see an opportunity in the NEMT space as well.
Healthcare /NEMT partnerships are proliferating in 2018. In early March 2018, Uber announced its latest initiative, Uber Health, and Lyft announced a partnership with AllScripts and a separate partnership with Blue Cross Blue Shield, CVS, and Walgreens. Both Uber Health and Lyft’s partnership with Allscripts will allow providers to schedule – and pay for – transportation for their patients, and Lyft’s partnership with CVS and Walgreens will offer Blue Cross Blue Shield members complimentary transportation to CVS or Walgreens pharmacies. While these novel transportation platforms have the potential to improve access to care, reduce barriers to healthcare access, and decrease no-show rates for providers, ridesharing NEMT poses significant legal and compliance risks as well.
Healthcare providers who wish to schedule and pay for transportation services for their patients should beware of potential regulatory hurdles, particularly fraud and abuse concerns if providers offer these services at little or no cost to federal program beneficiaries. Potential violations of the Civil Monetary Penalties Law (“CMP”)[57] and the Anti-Kickback Statute (“AKS”)[58] could be alleged for the provision of these services. Healthcare providers should endeavor to meet codified safe harbors to the AKS[59] and exceptions to the beneficiary inducement provisions of the CMP,[60] that address free and discounted services, including transportation.
In addition to AKS and CMP concerns, ride-sharing NEMT poses Health Insurance Portability and Accountability Act[61] (“HIPAA”) and cybersecurity risks as well. These ride-sharing platforms will be accessible by providers online or integrated into a health facility’s existing electronic medical record system. Providers should consider potential cybersecurity exposure, including the risk for a breach of patients’ protected health information through the ridesharing platform, and whether the provider’s electronic medical record system could be accessed or hacked when linked to the ridesharing platform.
While the logistical benefits to provider-coordinated and funded transportation may be significant, the risks may be as well. Providers who are considering the use ridesharing platforms to coordinate patient transportation should consider all legal risks and ensure the relationships and transactions are structured to comply with all state and federal regulations.
Submitted by: Erica Mallon, Esq., Carlton Fields
[1] ALJ Shearer Nelson concluded that Petitioners challenged the “look-back” provision in Rule 64B13-4.001(2), Florida Administrative Code (2015), pursuant to Sections 120.57(8)(b), (c), (d), and (e), Florida Statutes. Yontz, 2017 WL 1423480, at 22.
[2] Section 463.006(1)(b)(2), Florida Statutes, states “[t]he department shall examine each application who the board determines has . . . submitted proof satisfactory to the department that she or he . . . has graduated from an accredited school or college of optometry approved by rule of the board.”
[3] The Florida Senate put forth an identical bill, S.B. 520, to correct the same issue.
[4] Herbert Hovenkamp, The Antitrust Enterprise: Principle and Execution 1 (2005).
[5] ABA Section of Antitrust Law, Merger Review Process, 1 (4th ed. 2012).
[6] 15 U.S.C. § 18.
[7] FTC, The Antitrust Laws, https://www.ftc.gov/tips-advice/competition-guidance/guide-antitrust-laws/antitrust-laws (last visited Apr. 11, 2018).
[8] 386 U.S. 568 (1967).
[9] FTC v. Procter & Gamble, Co., 386 U.S. 568, 579 (1967).
[10] 838 F.3d 327, 348 (3d Cir. 2016).
[11] 778 F.3d 775, 790 (9th Cir. 2015).
[12] See FTC v. Tenet Health Care Corp., 186 F.3d 1045 (8th Cir. 1999); FTC v. Univ. Health, Inc., 938 F.2d 1206 (11th Cir. 1991); ProMedica Health Sys., Inc. v. FTC, 749 F.3d 559, 571 (6th Cir. 2001); FTC v. H.J. Heinz Co., 246 F.3d 708, 720 (D.C. Cir. 2001).
[13] Christopher L. Sagers, Antitrust: Examples and Explanations 298 (2011).
[14] Christopher L. Sagers, Antitrust: Examples and Explanations 298 (2011). See Am. Bar Ass’n., Antitrust Law Developments (Sixth) 362 & n.227 (6th ed. 2007) (collecting cases and so stating).
[15] FTC v. Penn State Hershey Med. Ctr., 838 F.3d 327, 348–49 (3d Cir. 2016).
[16] U.S. v. Anthem, Inc., 236 F. Supp. 3d 171 (2017).
[17] 386 U.S. 568 (1967).
[18] Anthem Inc. v. U.S., 855 F.3d 345 (D.C. Cir. 2017), cert. denied, 137 S. Ct. 1250 (2017) [hereinafter Petition for Cert.].
[19] Anthem, Inc., 236 F. Supp. 3d at 181.
[20] Id.
[21] Id.
[22] Id.
[23] Anthem, p. 8 https://www.justice.gov/atr/case-document/file/940946/download.
[24] Anthem-Cigna Merger Blocked by Appeals Court and the Utility of Efficiencies in Mergers going Forward, Crowell Moring (May 8. 2017), https://www.crowell.com/NewsEvents/AlertsNewsletters/all/Anthem-Cigna-Merger-Blocked-by-Appeals-Court-and-the-Utility-of-Efficiencies-in-Mergers-Going-Forward.
[25] See FTC, 838 F.3d at 348; Saint Alphonsus Med. Center-Nampa, Inc. v. St. Luke’s Health Sys., Ltd., 778 F.3d 775, 790 (9th Cir. 2015).
[26] 415 U.S. 486 (1974).
[27] See FTC, 186 F.3d at 1045; FTC v. Univ. Health, Inc., 938 F.2d 1206 (11th Cir. 1991).
[28] Anthem Inc., 855 F.3d at 345.
[29] 42 U.S.C. § 1320a-7b.
[30] 31 U.S.C. §§ 3729-3733.
[31] Regulation 2016/679, Apr. 27, 2016.
[32] Processing is defined as, “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” Art. 4(2).
[33] Personal data is defined as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” Art. 4(1).
[34] Indirectly, healthcare organizations may be faced with contractual obligations to assist another party with achieving their GDPR requirements. An example relationship is that of covered entity and business associate. Business Associates may be contractually required to assist a covered entity comply with HIPAA.
[35] Rec. 22 GDPR states, “[e]stablishment implies the effective and real exercise of activity through stable arrangements.”
[36] Art. 3 GDPR.
[37] Id.
[38] Id.
[39] Art. 15 GDPR.
[40] Art. 16 GDPR.
[41] Art. 17 GDPR.
[42] Art. 18 GDPR.
[43] Art. 32 GDPR.
[44] Art. 19 GDPR.
[45] Art. 33 GDPR.
[46] Art. 34 GDPR.
[47] A personal data breach is defined as, “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” See Art. 4(12) GDPR.
[48] Data concerning health is defined as, “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.” See Art. 4(15) GDPR.
[49] Genetic data is defined as, personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question. See Art. 4(13) GDPR.
[50] Biometric data is defined as, “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.” See Art. 4(14) GDPR.
[51] Under the GDPR health-specific conditions are required to process this type of data. These conditions include that: “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services [ … ]; “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices […].” See Art. 9 GDPR. Moreover, a data subject can also give explicit consent to the processing of their data. Id. To obtain a valid consent under the GDPR several factors must be present (e.g., freely given, specific, and unambiguous). See Rec. 32 GDPR.
[52] European Commission, Commission publishes guidance on upcoming new data protection rules (January 24, 2018), http://europa.eu/rapid/press-release_IP-18-386_en.htm.
[53] $5.5 Million HIPAA Settlement Shows Importance of Audit Controls, Dep’t Health & Human Servs. (Feb. 16, 2017), https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/memorial/index.html.
[54] Richard Wallace et al., Access to Health Care and Nonemergency Medical Transportation: Two Missing Links, Transportation Research Record Journal of the Transportation Research Board, Jan. 2005, at 76.
[55] Samina T. Syed et al., Traveling Towards Disease: Transportation Barriers to Health Care Access, J. Comm. Health, Oct. 2013.
[56] Richard Garrity and Kathy McGehee, Impact of the Affordable Care Act on Non-Emergency Medical Transportation (NEMT): Assessment for Transit Agencies 2 (2014).
[57] 42 U.S.C. § 1320a-7a.
[58] Id. § 1320a-7b.
[59] Id. § 1001.952.
[60] Id. § 1320a-7a(a)(5).
[61] Pub.L.104–191.