Privacy Policies and Procedures for Small Healthcare Providers Under Scrutiny.

Although privacy incidents at the largest healthcare providers attract the most attention, The Department of Health and Human Services Office for Civil Rights enforcement (“OCR”) is actively investigating privacy and security incidents at small healthcare providers. This means that small healthcare providers, including solo practitioners, need to actively review their privacy policies and procedures to ensure full compliance with the Health Insurance Portability and Accountability Act Privacy Rule.

As an example, a small dental practice in Texas responded to a bad review by a patient on its yelp page, accidentally revealing protected health information (“PHI”) about the patient. The violation itself would have had consequences, but this dental practice failed to have sufficient privacy policies and procedures to protect the PHI, resulting in OCR settling with the dental practice in October of 2019. The corrective action settlement included a severe fine and a mandate to correct its policies and procedures. Another recent example pertains to a single physician that received a complaint from a patient through a reporter, and subsequently responded to questions from that reporter. OCR determined that the physician revealed PHI and violated the privacy rule, resulting in a six figure fine and corrective actions to its privacy policies and procedures.

For smaller healthcare providers, these examples are reminders to frequently review and update the privacy policies and procedures, then test to ensure such policies and procedures are enforced. A common issue is that many providers assume simply having the policy is enough, but OCR will review whether the policies are in place and that the policies and procedures are actually followed. Another common shortcoming by a small healthcare provider is neglecting to conduct sufficient diligence on their business associates, including a review of their healthcare technology providers. For a small healthcare provider, best practices means having policies and procedures that contemplate annual diligence on business associates, testing of the procedures, and review of the policies against the latest updates to the privacy and security rule.

VW Contributor: Alex Rainville
© 2019 Vandenack Weaver LLC
For more information, Contact Us

Integrated HRAs

A new option exists for employers when it comes to paying for employee health care coverage. On June 13th, the U.S. Departments of the Treasury, Labor, and Health and Human Services (the Departments) issued a final rule allowing employers to use pretax dollars to subsidize employee premiums in the individual health insurance market. Now, employers of all sizes that do not offer a group coverage plan can fund a new health reimbursement arrangement (HRA) known as individual coverage HRA (ICHRA).

Previously, under the Affordable Care Act, employers were prevented from offering stand-alone HRAs that would allow an employee to purchase coverage on the individual market. That has changed. Employers now have the option to provide their workers and their families with tax-preferred funds to pay all or a portion of the cost of coverage that workers purchase in the individual market. The departments posted an FAQs regarding the new regulation. ICHRAs are advantageous to employers because they maintain the tax favored status that apply to a traditional group health plan. Additionally, another employer-sponsored insurance called Excepted Benefit HRAs (EBHRA) allows employers to finance an additional pretax $1,800 per year to reimburse employees for certain qualified medical expenses (such as premiums for vision and dental insurance) even if the employee opts out of enrollment in the traditional group plan.

Qualified Small Employer HRAs (QSEHRA) are still an attractive alternative to group coverage for smaller employers- those with fewer than 50 full-time employees. Under QSEHRAs, employers can give their employees money tax-free to purchase individual health policies through the ACA exchange, similar to ICHRAs. Employees can use these funds to pay all or part of the insurance plan premium or pay for out-of-packet medical costs. While ICHRAs are void of caps on annual allowance amounts, in 2019, QSEHRAs allowance amounts were capped at $5,150 for self-only employees and $10,450 for employees with a family. While ICHRAs are free of caps, employees who choose ICHRAs will not be able to receive any premium tax credit/subsidy for exchange-based coverage. In some instances, if an employer funds an ICHRA or a QSEHRA coupled with individual-market insurance, this will bar the individual-market coverage from becoming part of the Employee Retirement Income Security Act (ERISA).

If employers choose to offer ICHRAs, then the new regulations require a written notice be issued to all employees who are eligible. In this notice, employers need to include a provision that states the ICHRA may make them ineligible for a premium tax credit or subsidy when buying an Affordable Care Act exchange-based plan. ICHRAs will be available for plan years starting on or after January 1, 2020. Employers offering an ICHRA with a plan year that begins on January 1, 2020 should help eligible employees understand that they must enroll in individual health insurance coverage during the open enrollment period, November 1, 2019 through December 15, 2019, for individual health insurance coverage that takes effect on January 1, 2020.

ICHRAs and EBHRA are two new health insurance arrangements that could provide smaller employers with innovative and more cost-effective ways to finance worker health insurance coverage. The IRS has noted that including safe harbor provisions to ensure employers still satisfy the ACA’s affordability and minimum value requirements with ICHRAs will come out later this year.

© 2019 Vandenack Weaver LLC

For more information, Contact Us

 

U.S. Healthcare System Faces Mounting Cybersecurity Risks

The heightened use of technology in healthcare is coupled with mounting cyberattacks. Recently, the healthcare industry experienced a global cyberattack when malicious software targeted the industry. The attack hit Britain’s National Health Service the hardest, affecting sixty-five of its hospitals. Cyberattackers stole healthcare information after using phishing emails to take control of the organizations’ computers, encrypting the computers’ information, and threatening to release the patient information contained on the systems if the organizations failed to satisfy payment demands.

According to the U.S. Department of Health and Human Service’s Office for Civil Rights, over 100 million Americans’ health records were divulged in 2015. In early 2017, Experian predicted the health care industry would be the biggest target for an attack. Moreover, an Identity Theft Resource Center report revealed that more than 25% of all data breaches occurred in the healthcare industry, costing an estimated $5.6 billion each year.

Congress created the Health Care Industry Cybersecurity Task Force through the Cybersecurity Act of 2015 to examine the healthcare industry’s vulnerabilities and create solutions to the cyber threats that place millions of patients’ information at risk each year. In light of the recent attack, the task force investigated the state of health information systems security in the U.S. and found a desperate need to increase health IT security.

In its report to Congress, the task force made a series of recommendations that suggested how to fend off the increasing threats. Among others, the recommendations include creating programs to cleanse healthcare organizations of vulnerable hardware and software and inserting more people with security skills into the healthcare field. The report emphasizes that failure to intervene could lead to catastrophic losses for organizations and patients.

The task force notes that the successful implementation of its recommendations will require significant time and resources, but it hopes the government will promptly respond to its report with efforts to improve cybersecurity in healthcare organizations.

The task force notes that the successful implementation of its recommendations will require significant time and resources, but it hopes the government will promptly respond to its report with efforts to improve cybersecurity in healthcare organizations.

 

© 2017 Vandenack Weaver LLC
For more information, Contact Us

U.S. Supreme Court Interpretation Permits Thousands of “Church Plans” – Including Many for Hospitals and Health Systems – to Remain Exempt from ERISA

On June 5, 2017, the United States Supreme Court unanimously adopted a “broad” interpretation of the exemption allowed under the Employee Retirement Income Security Act (“ERISA”) for “church plans.”   The decision effectively permits thousands of retirement plans adopted by church-affiliated organizations – including numerous hospitals, schools and social-service organizations – to remain exempt from most ERISA requirements.

Plaintiffs in the case of Advocate Health Care Network v. Stapleton argued that a “narrow” interpretation of the “church plan” exemption was appropriate, and that they were damaged by their employers failing to comply with ERISA’s various requirements designed to protect employee retirement savings.  Advocates of the “narrow” interpretation argued that only plans actually established by a church should be eligible for the exemption.

A split among the United States Courts of Appeal between the “broad” and “narrow” interpretations of the exemption had left plan sponsors and participants in an uncertain state where the applicable plan was maintained by a church-affiliated group and not established by the church itself.

A considerable number of plans in question related to church-affiliated hospitals and health systems.  A “narrow” interpretation would render such plans subject to ERISA.

In an 8-0 decision authored by Justice Elena Kagan, the Supreme Court concluded that principles of statutory interpretation favored the conclusion that Congress chose language indicating a “broad” exemption.  The “broad” exemption had been employed in interpretive materials, advisory opinions and private letter rulings of the Internal Revenue Service and Department of Labor, so the decision eliminates, for now, the uncertainty that had arisen with respect to plans that had relied on said interpretation.

© 2017 Vandenack Weaver LLC
For more information, Contact Us

Another Delay in Implementation of the Medicare Part D Prescriber Enrollment Rule

The Centers for Medicare and Medicaid Services finalized a rule in March 2014 that required healthcare providers prescribing medication, where the prescription is paid for by a Medicare Part D plan, to enroll in Medicare as a prescriber. The enforcement date has been delayed several times and was slated to take effect on February 1, 2017, but has recently been delayed again until January 1, 2019.

 

Under the final rule, if a provider is not enrolled in Medicare as a prescriber, the patient’s prescribed drugs will not be covered by the Part D plan. Part D plans will be required to notify patients that the prescriber is not enrolled and the plan will not cover prescriptions from that provider. The most recent delay is aimed at ensuring that prescribers are aware of the rule and reduce the immediate burden placed on the estimated 250,000 prescribers not enrolled in Medicare and the 5.25 million beneficiaries that would be impacted.  

© 2016 Vandenack Weaver LLC
For more information, Contact Us

Healthcare Entities Required to Post New Non-Discrimination Notice

The Patient Protection and Affordable Care Act (ACA) prohibits health care entities from discriminating on the basis of race, color, national origin, sex, age, or disability. The ACA prohibition on discrimination applies to covered entities, which means those healthcare entities that receive federal financial assistance through the Department of Health and Human Services (HHS). For example, a covered entity includes a physician or pharmacy that accepts Medicare or Medicaid, health insurers that offer a plan on the healthcare exchange, and any entity that offers a Medicare part D plan.

In an effort to enforce the non-discrimination law, HHS issued a new rule in May of 2016 that requires all covered entities to post new non-discrimination notices. Although the rule was finalized in May of 2016, health care entities had until October 16, 2016 to post a new notice of non-discrimination. The new notice must state that the health care entity does not discriminate, that language assistance for the patient is available, and delineate how an individual can file a discrimination complaint with HHS. The new notice is intended to decrease discrimination by helping consumers become more aware of their rights.

For further information or to find example HHS non-discrimination notices, visit the following link:
http://www.hhs.gov/civil-rights/for-individuals/section-1557/translated-resources/index.html

© 2016 Vandenack Weaver LLC
For more information, Contact Us

Final Regulations Issued for Non-Discrimination in Health Programs

Section 1557 of the Patient Protection and Affordable Care Act (ACA) allows the Secretary of Health and Human Services (HHS) to issue regulations pertaining to non-discrimination. Earlier in May of 2016, the Secretary of HHS issued such regulations, which bans the denial of healthcare or health coverage to individuals on the basis of race, color, national origin, sex, age, or disability.

This final rule, the first federal civil rights law that broadly prohibits discrimination on the basis of sex, applies to any federally funded health plan. Although the law prohibits discrimination based upon sex, HHS failed to fully define certain issues, such as whether this covers discrimination based upon sexual orientation. However, HHS’s Office for Civil Rights (OCR), the agency tasked with enforcement, has stated an intention to review all claims in this area to determine whether the discrimination can be addressed under the regulations.

This rule will become effective on July 18, 2016, and will be enforced by OCR. Although OCR is tasked as a primary regulator, compliance burdens will fall to all entities covered by the new regulations, as well as individual citizens because the regulations include a private right of action for violations. Further details can be found at the following link. https://federalregister.gov/a/2016-11458

© 2016 Vandenack Williams LLC
For more information, Contact Us

Pending Increases for False Claims Act Civil Penalties

The False Claims Act (“FCA”) creates a civil penalty for any person that knowingly submits for payment a false or fraudulent claim to the federal government. This usually includes any government contractor, but will often arise in the healthcare industry. In 2015, for example, the federal government collected over $3.5 billion resulting from these civil penalties, with approximately $1.9 billion from the healthcare industry.

In December of 2015, the Bipartisan Budget Act was enacted and it included a section titled the Federal Civil Penalties Inflation Adjustment Act Improvements Act (“Act”). This Act amends a prior 1990 act, requiring inflation adjustments to the civil penalties in the False Claims Act. Due to the length of time between the last adjustment, the Act requires a catch-up adjustment and annual adjustments thereafter. The Act is slated to be implemented at all federal agencies by July 1st, with the new rates to take effect by August 1st of 2016.

The first federal agency to issue an interim final rule to implement the catch up adjustment was the Railroad Retirement Board, doing so on May 2, 2016. The interim rule changed the minimum FCA civil penalty from $5,500 per violation to $10,781 per violation, nearly doubling the per violation penalty. As the other agencies look to implement this rule, such as the Centers for Medicare and Medicaid, similar increase are expected. For those working on a government contract, especially those submitting claims to the government in the healthcare industry, taking due care in compliance efforts will be magnified because of the pending increases in FCA civil penalties.

© 2016 Vandenack Williams LLC
For more information, Contact Us

 

Nebraska Legislature Adopts Stronger Prescription Drug Monitoring System

by M. Tom Langan, II

A recently adopted law in Nebraska calls for the state to create a prescription drug monitoring system designed to help prevent the misuse of controlled substances, namely prescription pain medicine.  The system will require physicians and pharmacists to enter into a database patient information when prescribing and dispensing certain medications. Patients are not allowed to opt out of the database. A goal is to help prevent so-called “doctor-shopping” – or when a patient visits multiple doctors to obtain multiple prescriptions.

Physicians and pharmacists should be aware that the system is required to be implemented by January 1, 2017.

© 2016 Vandenack Williams LLC
For more information, Contact Us

Delay Announced in CMS Star Rating System for Hospitals

Originally, the Centers for Medicare and Medicaid Services (CMS) intended to release a star rating system on hospitals, beginning April 21, 2016. However, CMS recently announced plans to delay the rating system until July, or potentially later. The exact timing will depend upon the development of the methodology for rating a hospital.

When the star rating system was designed, the purpose was to create a simple tool for consumers to evaluate hospitals. This system largely incorporated the previous, more complicated, performance measures that follows more than 100 quality measures. While the new star system will not replace the more complicated system, it will be in addition to the prior measures and make the review process simpler for consumers. The new star system incorporates factors such as readmission rates, mortality rates, timeliness of care, safety of care, and other patient driven statistics.

The delay is largely attributed to hospital and lawmaker complaints that the new rating system will impact consumer perceptions, when it may not have a direct bearing on the specific services sought. Moreover, a concern regarding the quality of the data, including the methodology for ensuring accuracy, remained a significant worry for the hospitals. It is unclear when the star rating system will be implemented, but hospitals and consumers should expect further information, if not the unveiling of the star rating system, this summer.

© 2016 Vandenack Williams LLC
For more information, Contact Us