Photo of Ryan Cuthbertson

Ryan Cuthbertson is an Associate in the Health Law Practice and focuses primarily on transactional and regulatory matters, including mergers and acquisitions, joint ventures, regulatory compliance review, and licensing activities.  Ryan has also provided due diligence support, and insurance, licensing, and other regulatory guidance to pharmacies, pharmacy benefit managers, laboratories, durable medical equipment suppliers, hospital systems, dialysis and long-term care providers, medical practices, and payors.

Before joining the firm, Ryan spent nearly 10 years as an acquisitions officer in the US Air Force, where he was responsible for managing cost, schedule, and performance of various defense development programs.

The Department of Health and Human Services Office of the Inspector General (OIG) has issued an Advisory Opinion (Opinion) in connection with a hospital’s gainsharing arrangement (Arrangement) with a designated group of neurosurgeons who perform spinal fusion surgeries at the hospital. According to the Opinion, the OIG would not impose sanctions because the Arrangement, when viewed in its entirety, is not designed or likely to induce the neurosurgeons to (i) reduce or limit medically necessary services to their Medicare or Medicaid patients, or (ii) increase referrals to the hospital. This Opinion is the latest in a line of earlier advisory opinions to “bless” gainsharing arrangements that meet certain criteria for minimizing the risk of fraud and abuse. Continue Reading OIG Reaffirms Permissibility of Certain Gainsharing Arrangements

A draft bill recently introduced in the U.S. Senate serves as a good reminder that compliance with data breach reporting requirements is critical. This bill follows significant, high-profile data breaches by Uber and Equifax, both of which involved millions of individuals (87 million and 145 million, respectively) and both of which went unreported for a significant period of time following discovery by the companies. Equifax took more than a month to notify the public, while Uber took more than a year. Continue Reading Proposed Law Would Criminalize Failures to Report Data Breaches

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) released its October Cybersecurity Newsletter last week with a focus on mobile devices. Given the amount of work conducted on mobile devices (odds are that at least some of you are reading this on a smart phone), the newsletter is practical for many in the health care industry. It is also timely in light of the increasing development and use of health apps. (For those developers interested in HIPAA and mobile devices, see our recent post here.)

The key HIPAA risk faced by those in the health care sector using mobile devices is the compromise of electronic protected health information (ePHI); a risk that is compounded by the portability and lack of robust security on these devices. In its newsletter, OCR advises organizations to take some important steps to ensure that ePHI is well-protected on mobile devices. According to OCR, organizations should:

  • Ensure that mobile devices are properly configured before accessing/storing ePHI
  • Train employees on the secure use of mobile devices and the risks of malware infecting mobile devices
  • Implement policies and procedures for mobile devices
  • Take certain IT-related precautions such as:
    • Automatic lock/logoff
    • Logon authentication
    • Regular software/security patch updates
    • Encryption, anti-virus and remote wipe capabilities
    • Use ONLY secure Wi-Fi connections
    • Use Virtual Private Networks (VPNs)
    • Limit downloads to only verified third-party apps

Depending on the size of your organization, some of these recommendations might sound a bit involved, but any efforts now can go a long way to saving you from a data breach. This is particularly true when considering that a breach involving health records can cost upwards of $350 per record.

The newsletter also contains links to much more detailed guidance and information for how to minimize cybersecurity risk on mobile devices.

Correction: An earlier version of this post incorrectly noted that the American Medical Association opposed the rule. The post has been updated to include the AMA’s full statement expressing support for proposed rule. [October 10, 2017]

The U.S. Department of Veterans Affairs (“VA”) is taking a significant step towards expanding needed services to Veterans by proposing a rule to preempt state restrictions on telehealth.

Most states currently restrict providers (including VA employees) from treating patients that are located in that state if the provider is not licensed there. As a result, the VA has had difficulty getting a sufficient number of providers to furnish services via telemedicine for fear that they will face discipline from those states for the unlicensed practice of medicine. Continue Reading Department of Veterans Affairs Aims to Trump State Telemedicine Rules

A New Jersey Supreme Court case earlier this summer has New Jersey lawyers re-examining their clients’ business structures under the State’s corporate practice of medicine doctrine.

Many states prohibit the corporate practice of medicine (“CPOM”) in order to prevent or limit a lay person from interfering with a physician’s independent medical judgment. In New Jersey, for example, the State Board of Medical Examiners’ regulations prohibit a licensee with a more limited scope of practice (e.g., physical therapists, chiropractors, nurse practitioners, etc.) from employing physicians.

In Allstate Ins. Co. v. Northfield Med. Ctr., P.C., 2017 BL 148804 (N.J. May 4, 2017), the New Jersey Supreme Court  ruled that a chiropractor (and his attorney that advised on the structure) may have violated the Insurance Fraud Prevention Act because, under the structure,  a chiropractor could terminate a physician’s employment at any time and had more control over the practice’s profits than the physician (who is required to own a majority interest of the practice in New Jersey).  Thus, the court ruled that the medical practice was controlled by the chiropractor instead of the physician in violation of the New Jersey CPOM prohibition.

Submitting claims while a practice is structured in violation of the CPOM doctrine can lead to insurers recouping payments as false claims. Individual physicians, corporations, and attorneys can also face disciplinary action for their involvement in setting up or operating the fraudulent entity.

It is important that the organizational documents are set up to give the physician control over the practice, but this control should be exercised in reality and not just on paper. Physicians often have managers run many of the business aspects of the practice, but the physician should have the final say with respect to the medical and financial decisions of the practice and the hiring and firing of professionals.  Courts may look past the face of the documents to see who is really calling the shots on a daily basis.

While this recent case is spurring attorneys to evaluate their clients’ structures in New Jersey, this is a good reminder to take a fresh look at CPOM restrictions in other states as well.  Make sure your structure works at the outset and re-examine every so often to adapt with evolving laws and court interpretations of such laws.

In the recently published proposed rule related to the CY 2018 Hospital Outpatient Prospective Payment System (OPPS), the Centers for Medicare & Medicaid Services (CMS) announced that it is considering changes to the regulation governing the date of service (DOS) for clinical laboratory and pathology specimens.  The DOS rules are important to laboratories and hospitals because they dictate which party must bill Medicare for certain laboratory testing performed on stored specimens collected during a hospital procedure but ordered after the patient has left the hospital.  If revisions are ultimately finalized, the proposal could have significant business implications for independent laboratories and hospitals.

Continue Reading CMS May Decide to Permit Labs to Bill for Certain Tests Provided to Outpatients

Last week, the HHS Office for Civil Rights (OCR) launched an improved version of their HIPAA Breach Reporting Tool (HBRT), commonly referred to by OCR and regulated entities alike as the HIPAA “Wall of Shame.” OCR has also made minor changes to the interface for breach reporting.

The HBRT now makes it easy to navigate and mine information on all reported data breaches (breaches must be reported when they involve the protected health information of 500 or more people). Continue Reading The HIPAA “Wall of Shame” is Now Easier to Navigate

Earlier this month, the Office of the Inspector General for the Department of Health and Human Services (“OIG”) published its Semiannual Report to Congress covering the period from October 1, 2016 to March 31, 2017.  The report describes OIG’s work and accomplishments during the 6-month reporting period. Like other OIG reports, including the annual OIG Work Plan, the report gives a good indication of priority areas for OIG and can help guide compliance priorities for providers.  Below are some highlights of the report in the following focus areas: Continue Reading OIG Publishes Semiannual Report to Congress

A bipartisan congressional effort is underway to convince CMS to reverse its biosimilar reimbursement policy implemented under the Obama administration. We discussed the current reimbursement policy in a March 2016 blog post when CMS initially released the guidance.  CMS implemented the controversial guidance as a final rule in October 2016.

The current policy requires all biosimilars that are related to a reference product to be given a shared Healthcare Common Procedure Coding System (HCPCS) code. For Medicare Part B, reimbursement is then calculated based on the average sales price (ASP) of all of the biosimilars with that HCPCS code plus 6% of their reference product’s ASP. Continue Reading CMS Urged To Reverse Obama-Era Biosimilar Reimbursement Policy

ML Strategies has published the first installment of a new weekly preview, designed to give you quick overview of health happenings in the coming week. The preview highlights upcoming activity in the House and Senate and other hot topics on the Hill.

Spoiler alert: the confirmation processes for Dr. Scott Gottlieb (FDA) and Judge Neil Gorsuch (Supreme Court) will get a lot of attention this week.

See HERE for this week’s preview and be sure to stay tuned in the coming weeks.