In both civil and criminal enforcement proceedings, 2017 was perhaps most notable for the cases brought against individual health care providers and small physician practice owners. Among the factors that may have resulted in the uptick in cases against individuals are the Yates Memo issued in late 2015, improved and increased reliance on sophisticated data analytics, and the aggressive focus on opioid addiction and its causes. Continue Reading Health Care Enforcement Review and 2018 Outlook: Criminal and Civil Enforcement Trends
Last week, the Department of Justice (DOJ) entered into a $34 million settlement with Mercy Hospital Springfield (“Hospital”) of Springfield, Missouri, and its affiliate Mercy Clinic (“Clinic”). The settlement resolves an allegation that the Clinic violated the Stark Law by compensating twelve Clinic physicians in a manner that took into account the volume and value of the physicians’ referrals to the Hospital’s infusion center. The U.S. contended that the defendants’ Stark Law violations caused their reimbursement claims to Medicare for infusion services to violate the False Claims Act. Continue Reading Hospital and its Clinic Agree to $34 Million Settlement to False Claims Act Allegation that Compensation to Oncologists Violated the Stark Law
The waiver of copayments, coinsurance, and deductibles owed by patients treated by out-of-network laboratories and other providers is a hot topic in the health care industry. Despite the near absence of clear legal prohibitions on this practice, commercial insurers are aggressively pursuing out-of-network providers who fail to collect amounts owed by their members under a variety of statutory and common law theories.
For example, in 2015, Aetna filed suit against Health Diagnostic Laboratory (HDL), Tonya Mallory (HDL’s former CEO), and BlueWave Health Care Consultants (an independent sales group), alleging that they engaged in a variety of illegal actions, including the failure to collect any amounts owed by Aetna’s members, and that Aetna overpaid for services provided by HDL as a result. While HDL settled, Aetna continues to pursue its claims against Ms. Mallory, who recently failed in her efforts to have the case against her dismissed. However, a recent court decision may give providers some comfort. In June 2016, a Texas federal district court prevented Cigna from recovering funds paid to Humble Surgical Hospital, which allegedly waived amounts owed by Cigna’s members and engaged in other misconduct. The court dismissed all of Cigna’s claims and found that Cigna owed $13 million to Humble. Continue Reading Lessons Learned from FCA Settlement Involving Waiver of Medicare Coinsurance Amounts
Recently, HHS-OIG announced a first-of-its-kind settlement over pharmaceutical manufacturer reporting of Average Sales Price (ASP). Sandoz, Inc. agreed to pay a civil monetary penalty of $12.64 million for alleged failure to submit accurate ASP data to CMS.
ASP reporting was adopted in large part to create a mechanism whereby government drug reimbursement rates for biologics and physician-administered drugs are tied to the actual purchase price of those drugs. ASP is used by Medicare, and some Medicaid programs, to reimburse biologics and physician-administered drugs, such as chemotherapy drugs. Federal law requires pharmaceutical manufacturers to submit ASP information for each of these drugs to CMS on a quarterly basis. The statute authorizes imposition of a maximum civil penalty of $100,000 for each item of false information that is knowingly provided in the ASP reporting to CMS. Additional statutory authority provides that:
If the Secretary determines that a manufacturer has made a misrepresentation in the reporting of the manufacturer’s average sales price for a drug or biological, the Secretary may apply a civil money penalty in an amount of up to $10,000 for each such price misrepresentation and for each day in which such price misrepresentation was applied.
So we know the legal authority that is the basis for HHS-OIG’s sanction. But we don’t know much more than that. In fact, the settlement itself raises more questions than it answers. Continue Reading $12.6 Million Sandoz ASP Reporting Settlement Raises More Questions Than It Answers
Written by: Kimberly J. Gold
In the largest Health Insurance Portability and Accountability Act (HIPAA) settlement to date, two New York hospitals have agreed to pay $4.8 million to settle allegations that they failed to secure thousands of patients’ electronic protected health information (ePHI) held on their shared network.
The U.S. Department of Health & Human Services Office for Civil Rights (OCR) investigated New York-Presbyterian Hospital (NYP) and Columbia University (CU) after the organizations reported a breach involving 6,800 individuals’ ePHI, including patient status, vital signs, medications, and laboratory results.
The organizations are separate covered entities for HIPAA purposes that operate a shared data network linked to the hospital’s information system.
Written by Kimberly Gold
The recent Office for Civil Rights (OCR) enforcement action against Alaska’s Medicaid program provides insight into OCR’s enforcement approach and timely reminders for covered entities hoping to avoid a similar fate. In the first settlement of its kind against a state Medicaid agency, Alaska has agreed to pay the U.S. Department of Health and Human Services (HHS) $1,700,000 under a Resolution Agreement to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement stems from an investigation by OCR following a breach report by DHSS as required under the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The breach report, submitted by DHSS in 2009, disclosed that a USB hard drive, which may have contained electronic protected health information (ePHI) of Alaska Medicaid beneficiaries, was stolen from a DHSS employee’s car. The resulting OCR investigation uncovered evidence of inadequate DHHS policies and procedures to safeguard ePHI. OCR found that DHHS failed to complete a risk analysis, implement adequate risk management measures, conduct employee security training, implement device and media controls, and address device and media encryption.
What may HIPAA covered entities learn from the Alaska settlement?
- Seven-figure settlements are becoming more the rule than the exception when OCR finds serious violations.
- OCR continues to require corrective action plans, which add significantly to a covered entity’s costs resulting from a violation. The Alaska corrective action plan requires DHSS to properly safeguard the ePHI of its Medicaid beneficiaries, and to designate an independent monitor to regularly report to OCR on the state’s efforts to ensure compliance.
- OCR is not afraid to go after a state agency. In a press release, OCR Director Leon Rodriguez stated: “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”
- The settlement also illustrates the priority that OCR is placing on enforcement of HIPAA violations involving stolen devices. Mr. Rodriguez noted that “[c]overed entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices.”
Under a proposed settlement agreement with the Department of Justice (DOJ), private insurers Humana Inc. (Humana) and Arcadian Management Services, Inc. (Arcadian) must divest certain of Arcadian’s assets in parts of five states in order for Humana to proceed with its $150 million acquisition of Arcadian.
On March 27, 2012, the DOJ filed a civil lawsuit to block the proposed acquisition, alleging that the deal between Humana, one of the largest Medicare Advantage providers in the country, and Arcadian, an insurer with approximately 62,000 Medicare Advantage members, raised competitive concerns in the market for Medicare Advantage plans. In its complaint, the DOJ emphasized that Congress intended for Medicare Advantage insurers to compete vigorously, ultimately offering seniors a wider array of health insurance choices, more affordable benefits than traditional Medicare, and more responsiveness to seniors’ demands.
The DOJ argued that the proposed acquisition would eliminate competition between Humana and Arcadian, and thereby created a combined company accounting for 40 to 100 percent of the Medicare Advantage insurance market in 51 counties and parishes in Arizona, Arkansas, Louisiana, Oklahoma, and Texas. The DOJ further alleged that eliminating head-to-head competition between the companies would allow Humana to increase prices and reduce the quality of the Medicare Advantage plans sold to seniors in the relevant geographic areas.
The proposed settlement, which is pending approval from the court, would require the companies to divest certain Medicare Advantage plans to a DOJ-approved competitor. The proposed settlement would ensure that the buyer(s) of the divested assets would have contracts with nearly all of the same health care providers included in the Humana and Arcadian plans, at substantially the same rates.
The DOJ’s press release, complaint, and proposed settlement in this matter may be viewed here:
No one wants to be the first, especially not in this case. The Department of Health and Human Services’ Office of Civil Rights (OCR) announced its first settlement with a covered entity stemming from a report submitted pursuant to the Health Information Technology for Economic and Clinical Health Act’s (HITECH) Breach Notification Rule (the “Rule”). According to the Resolution Agreement, Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1.5 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and submitted to an extensive 450-day corrective action plan with two required biannual reports to address deficiencies in its HIPAA compliance program.
Since the Rule’s publication in August 2009, covered entities have had to notify the Secretary and affected individuals of any breach of unsecured protected health information. If the breach affects more than 500 individuals, notification must be provided to the media. Breaches affecting fewer than 500 individuals must be reported to the Secretary on an annual basis.
On November 3, 2009, BCBST reported to HHS that 57 unencrypted computer hard drives, among other computer equipment, were stolen around October 2, 2009 from a network data closet at an unstaffed facility that it leased. The computer hard drives were part of a system which recorded and stored over 300,000 video recordings and over 1 million audio recordings of customer service calls. The data contained the protected health information (PHI) of just over 1 million individuals, including member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. The breach happened only a month before the computer servers containing the data were to be transferred to another facility.
OCR determined that BCBST failed to implement both administrative and physical safeguards required under the HIPAA Security Rule. First, BCBST neglected to perform the required security evaluation in response to operational changes – the transfer of staff from the facility and the transfer of security responsibilities to the property management company. Second, even though the network data closet was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock, OCR still determined that BCBST did not use adequate controls restricting facility access – likely because it had not evaluated the quality of or educated the property management’s security services on how to secure the PHI contained in the servers.
Even though the annual deadline for reporting breaches affecting less than 500 individuals has already passed (mentioned in our 2/7/12 post), it is never too early for covered entities and their business associates to evaluate and improve internal HIPAA compliance processes. BCBST was the first, but there are bound to be more enforcement actions related to disclosures under the Rule, and every organization can benefit from a comprehensive HIPAA/HITECH checkup.
Written by Ellyn Sternfield and Stephanie D. Willis
In a Medicare Part C (or “Medicare Advantage”) False Claims Act settlement announced by the Milwaukee-Wisconsin Journal-Sentinel on September 25th, an operator of a Germantown Wisconsin Medicare Advantage plan and its parent agreed to pay $4.8 million to settle allegations that the company improperly paid eligible individuals to enroll in the Medicare Advantage plans, then misled them about the scope of coverage. The company was also alleged to have paid doctors for referrals of eligible individuals and enrolled some of the Medicare beneficiaries without their consent. The whistleblowers who filed the original False Claims Act suit in 2008 were a sales agent and a manager of the company that operated the Medicare Advantage plan. This case, like the November 2010 False Claims settlement involving a Florida Medicare Advantage plan whose owners allegedly exaggerated the severity of enrollees’ illnesses to increase reimbursements, shows that relators and their counsel are working with the government to establish causation between alleged business misconduct in health care settings and the submission of false claims.