The Tenth Circuit Court of Appeals has issued a significant decision, finding that a physician’s medical judgment about the medical necessity of heart procedures can be “false or fraudulent” under the federal False Claims Act (FCA). United States ex rel. Polukoff v. St. Mark’s Hosp., et al., No. 17-4014 (10th Cir. Jul. 9, 2018). The district court previously had dismissed the FCA case on a motion to dismiss, a development my colleagues discussed in detail in a prior post. The Tenth Circuit’s ruling not only revived relator’s qui tam FCA case, but also may open the door to more FCA lawsuits based on allegations that claims for treatments or services reimbursed by federal health care programs are “false” because they are not “medically necessary.” Continue Reading Tenth Circuit Revives FCA Claim Based on Alleged Lack of Medical Necessity

Some very good news for the telehealth community can be found amidst the more than 1,400 pages of the proposed Medicare Physician Fee Schedule for 2019 (“Proposed Rule”) issued by CMS yesterday.  Finally, CMS acknowledges just how far behind Medicare has lagged in recognizing and paying for physician services furnished via communications technology.    Continue Reading Telehealth Gets a Boost in Proposed Physician Fee Schedule

In a highly anticipated step, which had been teased by agency leadership in their public appearances over the past several months, FDA released a series of draft guidance documents pertaining to the development and approval of gene therapy products on July 11, 2018. As a follow up to its milestone gene therapy product approvals in 2017 (see here and here), FDA had promised to develop gene therapy-specific guidelines to help spur innovation in this area by providing industry with useful advice and greater regulatory clarity. However, it’s fair to say that we were not expecting to see this large of a transparency commitment by the Agency, which concurrently issued six new guidance documents. FDA Commissioner Scott Gottlieb also issued a lengthy same-day statement on the Agency’s “efforts to advance development of gene therapies,” in which he stated in part: Continue Reading FDA Releases Series of Gene Therapy Guidance Documents: From Drug Development to Postmarket Monitoring

This week, Congress returns from recess to another four-week work period. The dynamics of the next four weeks might be in flux now that President Trump has nominated Brett Kavanaugh to the U.S. Supreme Court. Other issues to monitor include the suspension of risk adjustment payments and the fall out from the Kentucky Medicaid waiver ruling. We cover all this and more in this week’s preview, which you can find here. 

State Medicaid Agencies have historically engaged in an epic balancing act.  Federal law requires State Medicaid Agencies to ensure beneficiaries have access to medically necessary services.  Federal law also requires State Medicaid Agencies to safeguard their Medicaid Programs against fraud, waste or abuse in billing for Medicaid services.  Balancing those competing requirements has long proven challenging.

Indeed, that very challenge is why federal law also requires State Medicaid Fraud Control Units (MFCUs) be housed outside of the State Medicaid Agencies, and that the State Medicaid Agencies have no authority over which cases the individual MFCUs investigate or prosecute under applicable civil or criminal statutes.  Concerns over access to care should not factor into prosecution judgments in the face of allegations of Medicaid fraud.

No state is more emblematic of the challenges presented by that balancing act than Texas.  But Texas may also be a case study in why use of private Medicaid Management and Medicaid Managed Care companies is no panacea for those challenges.  Moreover, Texas may be a case study in the importance of private Medicaid Management and Medicaid Managed Care companies understanding the depth of those challenges and the need to fully assess what the company may be taking on, before contracting to provide Medicaid services in a particular state. Continue Reading Texas:  A Cautionary Tale for Medicaid Management and Managed Care Companies

In its most recent Cybersecurity Newsletter, OCR focuses on the intersection of HIPAA and information security.  To be sure, HIPAA requires covered entities and business associates to address their organizations’ information security. This obligation stems from HIPAA’s requirement that covered entities and business associates assess the potential risks and vulnerabilities to the confidentiality, integrity and availability of their electronic protected health information. This is referred to as a “risk assessment” or “risk analysis” and is a core element of HIPAA’s Security Rule. But it is not enough to simply assess or analyze the risk; HIPAA requires that the risks be mitigated. This is particularly important when it comes to information security risk. As OCR states in its newsletter: Continue Reading HIPAA, Security Vulnerabilities and Patching

This week, focus turns to the Senate as the House overwhelmingly passed its opioid package known as H.R. 6 last week (see our previous coverage here). The Senate will look to combine its various proposals into one package for floor consideration and what passes will provide a timeline for reconciling the House and Senate packages. In other news, the Senate will spend time in the HELP and Finance Committee on drug pricing. With Secretary Azar set to testify, we look for signals that the Administration is moving forward with any aspect of its drug pricing blueprint. We cover this and more in this week’s preview, which you can find here.

The government is focusing on opioids.  Whether it be program policies, enforcement, or legislation, combating the opioid epidemic continues to be a major focus for government officials.  It is also a major piece of the health care legislation moving in both the House and the Senate.

In the Senate, the Judiciary Committee advanced five bills relating to the opioid crisis, and the HELP Committee advanced the “Opioid Crisis Response Act of 2018,” which has over 40 measures relating to opioids. Most recently (6/12), the Senate Finance Committee unanimously approved the Helping To End Addiction And Lessen (HEAL) Substance Use Disorders Act Of 2018.  That Act includes the expansion of the Physician Payment Sunshine Act to include payments to mid-level providers, as we previously blogged about here.  Click here for a summary of all Senate bills.

On the House side, over the last two weeks, the House passed over 50 bills to combat the opioid crisis and have received bipartisan support. Additional opioid related bills have been introduced and passed out of committee. On June 20, the House voted and passed three additional opioid bills (HR 5925, HR 9797, and HR 6082). Two of these bills were considered controversial. H.R. 5797, The IMD CARE Act, repeals the Medicaid IMD exclusion for individuals with opioid use disorders. H.R. 6082, The Overdose Prevention and Patient Safety Act, amends 42 CFR Part 2 confidentiality protections pertaining to substance use disorder patient records.  Continue Reading Opioids Have Our Attention

Thousands of laboratories nationwide will be happy to hear that Florida, which licenses in-state as well as out-of-state laboratories, has repealed its laboratory licensure requirements.  As of July 1, 2018, laboratories doing business in Florida need only maintain CLIA certification. Continue Reading Florida Repeals Laboratory Licensure Requirements Effective July 1st

Privacy and security compliance obligations for health care companies remain hot topics this spring. Health care companies must now contend with data breach laws in all 50 states as well as keeping on top of federal HIPAA developments.

New Colorado Data Breach Law

Our Privacy and Security colleagues recently blogged about a new Colorado law that imposes strict requirements on entities that maintain, own, or license personal identifying information of Colorado residents. The law broadly defines “personal identifying information” as a Social Security number; a person identification number; a password or passcode; a driver’s license or identification card number; a passport number; biometric data; an employer, student, or military identification number; or a financial transaction device. In addition, the law requires entities to report breaches of such data within 30 days of discovery.

Continue Reading Privacy and Security Round-up – Colorado Data Breach Law, Guidance from OCR