This week, the Sixth Circuit unanimously upheld the March 28, 2012 Federal Trade Commission (FTC) administrative decision that ordered ProMedica Health System, Inc. to divest itself of its August 2010 purchase of St. Luke’s Hospital in Lucas County, Ohio.
The Sixth Circuit held that the merger created no substantive or compelling efficiencies and that it would increase ProMedica’s pricing and bargaining power anticompetitively.
Mintz Levin’s Antitrust Practice attorneys Bruce Sokler, Helen Kim, and Timothy Slattery analyze the Sixth Circuit’s decision and discuss how this landmark decision could be a harbinger of greater scrutiny and enforcement against health care provider mergers that the FTC view as anticompetitive. Read the Antitrust Practice Alert at this link.
Written by: Kimberly J. Gold
Two companies were hit with fines equaling a total of almost $2 million to settle alleged Health Insurance Portability and Accountability Act (HIPAA) violations involving stolen, unencrypted laptops, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced on Tuesday.
OCR conducted an investigation of Concentra Health Services (Concentra) after receiving a breach report that an unencrypted laptop was stolen from one of its facilities. Concentra’s biggest mistake was its failure to remedy previously recognized security problems. The company had engaged in multiple risk analyses revealing that a lack of encryption on its laptops and other devices containing electronic protected health information (ePHI) was a critical risk. While Concentra had taken steps to begin encryption, OCR found that Concentra had insufficient security management processes in place to safeguard patient information. Concentra agreed to pay OCR $1,725,220 to settle potential violations and will adopt a corrective action plan.
The other organization, QCA Health Plan, Inc. (QCA), notified OCR of a breach in February 2012 involving the theft of an unencrypted laptop computer from a workforce member’s car that contained the ePHI of 148 individuals. OCR reported that QCA encrypted its devices following discovery of the breach, but that it failed to comply with multiple HIPAA Privacy and Security Rule requirements between April 2005 and June 2012. In addition to a $250,000 monetary settlement, QCA will provide HHS with an updated risk analysis and risk management plan, including specific security measures to reduce ePHI risks and vulnerabilities. QCA also agreed to retrain its workforce and document its ongoing compliance efforts.
The Resolution Agreements for Concentra and QCA can be found on the OCR website.
ML Strategies has posted its weekly Health Care Update. This publication provides timely information on implementation of the Affordable Care Act, Congressional initiatives affecting the health care industry, and federal and state health regulatory developments.
Top news this week is the continued scrutiny of drug pricing. Between Congress, payors, and physician groups, the biopharmaceutical industry is facing significant headwinds and will be tasked with changing the value proposition (or at least articulating it differently) in order to withstand the pressure from stakeholders on cost and comparative effectiveness.
In keeping with the cost theme, the CBO released new estimates showing that the Affordable Care Act would be less costly and cover more people than previous reports. We believe the major debate after open enrollment is now shifting to cost containment, which will be the context for many legislative and regulatory debates to come in 2014 and going forward.
Click here to read this week’s Update.
ML Strategies has posted its weekly Health Care Update. This publication provides timely information on implementation of the Affordable Care Act, Congressional initiatives affecting the health care industry, and federal and state health regulatory developments. Top news this week includes the resignation of Secretary Kathleen Sebelius, the unprecedented release of Medicare physician payment data, and the decision to ban the painkiller drug Zohydro in Massachusetts. Click here to read this week’s Update.
Written by: Nili Yolin
The Accreditation Council for Graduate Medical Education (ACGME), American Osteopathic Association (AOA), and the American Association of Colleges of Osteopathic Medicine (AACOM) will be forming a unified, single accreditation system for allopathic and osteopathic physicians in 2015. First announced in October 2012, the three governing boards finally approved the framework for implementing a single accreditation system last month, which calls for the AOA and AACOM to become member organizations of the ACGME, thereby allowing the ACGME to accredit all osteopathic graduate medical education programs that are currently accredited by the AOA. In so doing, osteopathic physicians (DOs) training in AOA-accredited residency programs will be able to transfer into ACGME-accredited residencies without having to repeat any years of training.
Written by: Thomas S. Crane, Kimberly J. Gold and Ellyn L. Sternfield
The U.S. Department of Health and Human Services (HHS) announced on April 9th a “historic” release of Medicare payment data to provide consumers with “unprecedented transparency on the medical services physicians provide and how much they are paid.” The Centers for Medicare and Medicaid Services (CMS) declared its intent to make such data available in an April 2ndletter to the American Medical Association. CMS stated on its blog that “[p]roviding consumers with this information will help them make more informed choices about the care they receive.” The new data set covers more than 880,000 health care providers in all 50 states, the District of Columbia, and Puerto Rico, who collectively received $77 billion in Medicare payments in 2012 under the Medicare Part B Fee-For-Service program.
The data set includes information on the provision of services by physicians and how much they are paid for those services and is organized by provider (National Provider Identifier or NPI), type of service (Healthcare Common Procedure Coding System, or HCPCS, code), and place of service (either facility or non-facility). The data set also includes the number of services, average submitted charges, average allowed amount, average Medicare payment, and the number of unique beneficiaries treated.
To protect the privacy of Medicare beneficiaries, any aggregated records which are derived from 10 or fewer Medicare beneficiaries are excluded from the data set.
Written by: Cynthia Larose and Dianne Bourque
April 8, 2014 marked the end of Microsoft’s support for the Windows XP operating system, which means the end of security updates from Microsoft and the beginning of new vulnerability to hackers and other intruders into systems still utilizing the operating system. But does the end of Windows XP support mean that HIPAA covered entities and their business associates using Windows XP are automatically out of compliance with HIPAA as of April 8th? Not necessarily.
It is impossible to say with certainty that April 8th equals HIPAA non-compliance for XP users. There is no one-size-fits-all answer as to whether or not continued use of XP will result in a HIPAA violation, because there is no one-size-fits-all approach to compliance with the HIPAA Security standards. HIPAA Security standards are “flexible and scalable” to ensure that each regulated entity may implement security measures that are reasonable in light of the size and complexity of the organization. As a threshold matter, users of Windows XP must determine whether or not electronic protected health information or (“ePHI”) even passes through an affected system. XP users should also evaluate whether or not there are compensating security measures to protect ePHI or whether additional security measures could be implemented to temporarily protect ePHI, such as disconnecting affected computers from the internet.
Written by: Susan Berson and Roy Albert
Earlier this week, CMS announced in its Final Call Letter that Medicare Advantage rates would rise an average of 0.4 percent in 2015, instead of falling 1.9 percent as proposed in February. CMS’s shift in course may stem from the 1300 comments the agency received in response to February’s advance notice, which announced Medicare Advantage rate cuts along with a range of other controversial policies. This is the second straight year in which CMS proposed significant rate reductions, but then backtracked following a review of stakeholder comments.
The Final Call Letter contains many significant departures from February’s draft, again most likely in response to stakeholder comments. CMS opted not to finalize several proposals:
- Diagnoses from Enrollee Risk Assessments Resulting from Home Visits. CMS expressed concern that provider visits to beneficiaries’ homes were used to gather diagnoses for payment rather than to provide treatment to beneficiaries and proposed to exclude diagnoses obtained from home visits for purposes of 2015 risk adjustment payments. CMS did not move forward with this proposal, but noted that it will study data submitted by Medicare Advantage Organizations to determine whether further policy changes are required.
- Enhanced Alternative Plans. CMS proposed that all Part D enhanced alternative plans would be required to provide additional cost-sharing reductions in the coverage gap for formulary generic and brand drugs. Many commenters opined that CMS’s proposal could cause disruption to beneficiaries with respect to their existing plans. As a result, CMS opted to abandon this proposal.
- Star Ratings. CMS did not move forward with several changes to Star Ratings, the plan rating scoring system used to measure Part C and D plan quality. Most notably, CMS opted to neither: (1) pursue independent plan audits to dispute CMS’s reductions in Star Ratings; nor (2) apply incremental reductions to measures based on the number of errors CMS finds. These proposals were aimed at ensuring the integrity of data supplied by plans to calculate Star Ratings, an issue CMS will continue to study. CMS remains committed to Star Ratings and moved forward with other updates. The Final Call Letter contains an Appendix that summarizes stakeholder comments to CMS’s proposals impacting Star Ratings.
Written by: Kimberly J. Gold
The U.S. Department of Health & Human Services (“HHS”) announced last week that same-sex married couples can now qualify for Medicare Part A and Part B special enrollment periods and reductions in late enrollment penalties.
This policy change results from the groundbreaking 2013 Supreme Court ruling in United States v. Windsor that Section 3 of the Defense of Marriage Act (“DOMA”), which defined marriage as a union between one man and one woman, was unconstitutional. Because of this ruling, Medicare is no longer prevented by DOMA from recognizing same-sex marriages for determining entitlement to, or eligibility for, Medicare.
HHS Secretary Kathleen Sebelius stated that the Medicare changes will help “to clarify the effects of the Supreme Court’s decision and to ensure that all married couples are treated equally under the law.”
Written by: Ellen Janos and Kate Stewart
Today, the three federal agencies charged with regulating components of health information technology (“Health IT”) issued their long-awaited Health IT Report: Proposed Strategy and Recommendations for a Risk-Based Framework (the “Report”). The Report seeks to develop a strategy to address a risk-based regulatory framework for health information technology that promotes innovation, protects patient safety, and avoids regulatory duplication.
Congress mandated the development of the Report as part of the 2012 Food and Drug Administration Safety and Innovation Act, requiring the Food and Drug Administration (“FDA”), the Office of the National Coordinator for Health Information Technology (“ONC”), and the Federal Communications Commission (“FCC”) to coordinate their efforts to regulate Health IT. Notably, the Report identifies and distinguishes between three types of Health IT: (i) health administration Health IT, (ii) health management Health IT, and (iii) medical device Health IT.
The recommendations in the Report include continued interagency cooperation and collaboration, the creation of a public-private safety entity—the Health IT Safety Center—and a risk based approach to the regulation of Health IT. The Report emphasizes that the functionality of Health IT and not the platform for the technology (mobile, cloud-based, or installed software) should drive the analysis of the risk and the regulatory controls on Health IT.