Header graphic for print

New York Health Law

OMIG Announces Facebook Page

By Michael P. Pasternack on Posted in Audit and Compliance, OMIG and OIG, Regulatory Issues

The New York State Office of the Medicaid Inspector General today announced their new Facebook page.  This could be the only time anyone in the health care industry might consider a declaration that they “like” the OMIG.

While a Facebook page may appear unusual for this less-than-beloved agency, the OMIG’s office has made several recent attempts to open up to the public, including development of a useful web page, and  informative webinars that often provide free attorney CLE credits.  Through these vehicles, the Office continues its efforts to present a friendlier face to the public and the health care industry.

We may be hesitant to be a “friend” of OMIG, but for those of use who watch them closely and deal with them frequently, following the Facebook page and reviewing the postings may provide additional insight into their workings, priorities and expectations, and help us to understand and address ongoing compliance obligations.

Feds to Offer Free HIPAA Compliance Webinars

By Michael P. Pasternack on Posted in Audit and Compliance, HIPAA and Privacy, Hospitals and Health Care Facilities, Long Term Care, Home Health and DME, Physicians and Other Licensed Professionals, Regulatory Issues

The Office for Civil Rights of the US Department of Health and Human Services, in conjunction with the Workgroup for Electronic Data Interchange (“WEDI”), has announced a series of four free webinars on compliance with the latest Omnibus HIPAA/HITECH final rule, which implements significant changes in the requirements imposed upon health care organizations, providers, and their business associates.  Final compliance with the new rule is required by September 23, 2013.

Aimed at smaller clinical practices, the webinars will  address topics  including the new breach notification requirements, new Business Associate liability, and enforcement.  The first webinar will be held on June 14, 2013.

While we advise clients to review these matters with their legal counsel, it can be quite informative to hear the requirements and compliance expectations directly from the agency responsible for enforcement.  Providers should be prepared to revise their policies and documents, including Business Associate Agreements, well before the September dealine.

Note that the webinars are free, but registration with WEDI is required in order to register.

Are Suits Opposing Obamacare Mandates Ripe?

By Kevin P. Mulry on Posted in Compensation and Employment, Insurance and Managed Care, Litigation, Regulatory Issues

Over fifty cases across the country have challenged regulations promulgated under the Patient Protection and Affordable Care Act (“PPACA” or “Obamacare”) that require employer group health insurance plans to provide coverage for contraception, sterilization and related counseling (the “HHS Mandate”).  Suits have been filed by religiously-affiliated organizations as well as private business owners, asserting that the HHS Mandate will require them to provide health insurance plans that violate their deeply-held religious beliefs.  Claims have been brought under the Establishment, Free Exercise and Free Speech clauses of the First Amendment of the US Constitution, as well as the Religious Freedom Restoration Act and the Administrative Procedure Act.  Two of these cases have been filed in the Eastern District of New York and have now reached contrary conclusions on whether the suits are ripe for adjudication.

The United States has argued that challenges to the HHS Mandate are not ripe because the government is in the process of amending it to address religious objections.  A notice of proposed rulemaking suggesting amendments was issued in February 2013.  In addition, for certain non-profit organizations, a “safe harbor” applies, which extends the deadline for complying with the HHS mandate to August 1, 2013.

Judge Block decides “Not ripe”; Judge Cogan says “Yes it is”

In April, in Priests for Life v. Sebelius (decision),  EDNY Judge Frederic Block held that a challenge to the HHS Mandate was not ripe for judicial decision.  Although the HHS Mandate regulations have been published, Judge Block noted that the government had indicated an intent to amend them and had issued a notice of proposed rulemaking, and he cited to the presumption that government agencies are acting in good faith.  The Court found that the HHS Mandate is “not truly final” and that adjudicating the current regulations would be “a waste of judicial resources.”  Judge Block also noted that his holding was consistent with the overwhelming majority of courts to address the issue.

One case reaching a contrary result is also in the EDNY, Roman Catholic Archdiocese of New York v. Sebelius (decision).  In December 2012, Judge Brian M. Cogan held in that case that certain plaintiffs had standing to sue, and that challenges to the HHS Mandate were ripe and should go forward.  Judge Cogan recognized the government’s stated intent to amend the regulations, but observed that the HHS Mandate is “the currently-operative law,” and that failure to comply could result in substantial penalties.  The Court observed that a notice of proposed rulemaking would not prevent the HHS Mandate from going into effect, and found that the HHS Mandate “is not a non-final policy; it is a final rule.”  In language applicable to both his standing and ripeness analysis, Judge Cogan discounted the government’s argument that its intent to amend the regulations required dismissal, stating that: “There is no ‘Trust us, changes are coming’ clause in the Constitution.”

Issues concerning the HHS Mandate and any amendment will continue to work their way through the courts.  In the Archdiocese of New York case, the government recently filed declarations stating that it would never enforce the current regulations against the plaintiffs. The Court stayed proceedings and discovery, and indicated it would consider the newly-filed representations in the context of the government’s motion for reconsideration or an interlocutory appeal.  Courts outside of New York have split on whether injunctions against current enforcement of the HHS Mandate should issue in cases brought by for-profit plaintiffs not covered by the safe harbor.  The more than fifty cases at various stages throughout the country can be tracked on the website of the Becket Fund, which is representing plaintiffs in several of the cases.  Regardless of whether or how the HHS Mandate is amended, the issue of whether it conflicts with the religious liberty rights of organizations, businesses and individuals is likely to find its way to the Supreme Court.

Health Privacy Liability Issue Proceeds to NY Court of Appeals

By Kevin P. Mulry on Posted in Audit and Compliance, Compensation and Employment, Corporate and Business, HIPAA and Privacy, Litigation, Physicians and Other Licensed Professionals

In  last week’s decision in Doe v. Guthrie Clinic, Ltd. the Second Circuit Court of Appeals certified to the New York Court of Appeals the issue of whether a medical corporation may be liable for the unauthorized disclosure of medical information, when the employee responsible for the breach was not a physician and was acting outside the scope of her employment.

The plaintiff in Doe went to a health clinic to be treated for a sexually transmitted disease.  A nurse at the clinic was the sister-in-law of the plaintiff’s girlfriend, and sent six text messages to her about plaintiff’s medical condition.  The plaintiff learned of the messages and complained to the clinic, which fired the nurse.  The clinic advised plaintiff that his confidential information had been improperly disclosed, and that disciplinary action had been taken.

Plaintiff sued, alleging among other claims the common law breach of fiduciary duty to maintain the confidentiality of personal health information.  On appeal from the dismissal of the claim by the district court, the Second Circuit first recognized that a common law action against a physician who improperly discloses confidential medical information is well established in New York.  However, the Court also noted that corporate liability is not implicated by the ultra vires acts of employees.  The issue presented, therefore, was whether the common law claim can lie against the corporation when the responsible employee was acting outside the scope of her employment.

Scant Case Law

The Second Circuit found very little New York case law on the issue.  A Third Department case found an expanded corporate tort liability in such a situation, but without citation to statutory authority or case law and over a dissent by two justices.  A subsequent New York Court of Appeals case did not impose liability on a medical corporation for a sexual assault by a physician, but that case did not involve an alleged breach of fiduciary duty for unauthorized disclosure of medical information.

The Second Circuit found the issue proper for certification to New York’s highest court. In addition to the sparse state case law, the Court noted that the issue implicates significant New York state interests in the confidentiality of medical information and in the liability of New York-based medical providers.

Compliance Concerns

Regardless of how the New York Court of Appeals decides this issue, the Doe case again highlights the need for medical providers to have good policies governing the confidentiality of medical information, and to ensure that these policies are clearly communicated to all employees.  Providers may wish to review HIPAA, HITECH and State requirements with their legal counsel in order to comply with the often complex provisions of the laws and regulations.

Out-of-Network Billing – New Hope for Patients

By Christopher J. Kutner on Posted in Hospitals and Health Care Facilities, Insurance and Managed Care, Physicians and Other Licensed Professionals

Unexpected bills to patients for out-of-network medical care have been a problem for years. Patients, their providers – both in and out-of-network – and the insurance carriers (the “payors”)  have likely been involved at one time or another in the sometimes messy situation triggered by an out-of-network provider submitting a claim for charges. Payors have been trying to eliminate the instances when they are obligated to pay charges or a percentage thereof, while certain specialty providers are trying to hold out for as long as possible and obtain maximum reimbursement.

The exposure to patients for enormous balances remaining after applying their insurance coverage may soon be a thing of the past. When specialty providers refuse to contract with payors because they deem the fees offered inadequate, the payors have re-written the insurance policies to cap benefits based on a percentage of some benchmark fee. The payors also attempt to educate and incent their insureds to use only network providers lest they be exposed to large balances. The payors have also enlisted their network providers to not use out-of-network providers or be subject to takebacks themselves.  The payors want their insureds to become more active and aware in the selection of providers

For example, a person is injured and seeks treatment in the emergency department for a laceration to the forehead requiring the skills of the plastic surgeon on call. The plastic surgeon does not accept any insurance and simply bills the patient based on her charges, which are usually a multiple of Medicare and what the payor would pay under an agreement with a network plastic surgeon. Because the insurance company must indemnify the insured in such emergency situations, so begins the negotiation between the payor and the surgeon. The surgeon is not obligated to accept the fee offered by the payor, but may demand a greater fee provided it is reasonable and so the patient is stuck in the middle liable for the difference between the payor’s fee (low) and the surgeon’s charges (high) - which could be thousands of dollars.

Proposed Legislation

New York Governor Andrew Cuomo has been eyeing this issue. While his executive budget is silent on the point, the Senate’s budget bill is not.  The Senate seeks to insulate patients from balance billing for emergency services. It would require binding arbitration for disputes over physician fees for emergency services.

 The Senate would set a new standard by requiring health plans to offer products that provide coverage of 80% of the usual and customary cost of out-of-network services as defined by FAIR Health, an independent entity that publishes equitable charges for specific health care services.

Health plans and doctors also would be subject to various new disclosure rules. Hospitals would be required to disclose their standard charges for items and services they provide, including for diagnosis-related groups. They must disclose which insurance plans they accept, and the name, practice name and contact information for any physician whose services will be provided at the hospital but will not be billed as part of the hospital charges. They would have to make that disclosure at either pre-admission testing, outpatient registration, or non-emergency hospital admission, whichever is earlier. They must disclose whether physician anesthesiology, pathology, radiology or other services are billed as part of the hospital charges or separately.

With this information available, patients will have more opportunity to understand ahead of time their exposure for medical bills and perhaps make choices to mitigate the exposure.

Essential Health Coverage Benefits – The ACA Final Rule

By Christopher J. Kutner on Posted in Compensation and Employment, Insurance and Managed Care, Regulatory Issues

The U.S. Department of Health and Human Services (HHS) has issued a final rule stating the future health insurance exchange (“Exchange”) and insurance issuer standards related to coverage of essential health benefits (EHB) and actuarial value. The final rule further establishes a timeline for when qualified health plans (QHPs) should be accredited in federally facilitated Exchanges.

Beginning January 1, 2014, non-grandfathered insurance plans in the individual and small group market and those in the Exchanges will be required to provide coverage of benefits or services in ten (10) separate categories that reflect the extent of benefits covered by a typical employer plan. A QHP is one that provides a benefits package that covers EHB, includes cost-sharing limits, and meets minimum value requirements.

Essential Benefits

Regarding scope of EHB, each state will be permitted to identify a single EHB-benchmark plan. This is defined as the standardized set of essential health benefits that must be met by a QHP from the following four choices:

  1. Small group health plan, defined as the largest health plan by enrollment in any of the three largest small group insurance products by enrollment in the state’s small group market;
  2. State employee health plan, which is any of the largest three employee health benefit plan options by enrollment offered and generally available to state employees;
  3. Any of the largest three national Federal Employees Health Benefits Program (FEHBP) plan options by aggregate enrollment that is offered to all health benefits eligible federal employees; or
  4. A non-Medicaid coverage plan with the largest insured commercial enrollment offered by a health maintenance organization (HMO) operating in the state.

The default base-benchmark plan will be the first option discussed above in the event a State does not make an election. A benchmark plan must include coverage in each of the 10 categories (ambulatory patient services; emergency services; hospitalization; maternity and newborn care; mental health and substance use disorder services, including behavioral health treatment; prescription drugs; rehabilitative and habilitative services and devices; laboratory services; preventive and wellness services and chronic disease management; and pediatric services, including oral and vision care).

A multi-state plan must meet benchmark standards set by the U.S. Office of Personnel Management (OPM). Additional information on EHB benchmark plans can be found here.

The Affordable Care Act creates four tiers of health plans available for purchase through the Exchanges. Each tier is defined by its actuarial value (AV). The HHS has created an AV calculator to assist in determining a plan’s metal level.

  • A bronze health plan is a health plan that has an AV of 60 percent;
  • a silver health plan has an AV of 70 percent;
  • a gold health plan has an AV of 80 percent; and
  • a platinum health plan has as an AV of 90 percent.

The value may vary by plus or minus 2 percent. The purpose of establishing these “metal” levels is to help participants and potential enrollees compare various health plans.

Minimum Value

An employer-sponsored plan is deemed to provide minimum value (MV) if the percentage of the total allowed costs of benefits provided under the plan is no less than 60 percent. In order to determine whether a plan provides minimum value, an employer-sponsored plan may use the MV calculator provided by the HHS and the Internal Revenue Service, or avail itself of “an array of design-based safe-harbors published by HHS and the Internal Revenue Service in the form of checklists to determine whether the plan provides MV.”

The MV Calculator will have similar functionality to the AV Calculator but will be based on claims data that better reflects typical employer-sponsored plans. Alternatively, a group health plan may seek certification by an actuary to determine MV if the plan contains non-standard features that do not lend themselves to either of these determination methods.

Annual Limits

HHS explains that it interprets the health care law as requiring all group health plans to comply with the annual limitation on cost-sharing, while only plans and issuers in the small group market are subject to the Act’s deductible limits.

Deductible Limitations and Cost-Sharing

For 2014, the deductible limit for self-only coverage is set at $2,000; and at $4,000 for coverage other than self-only. Guidance issued by the Department of Labor’s Employee Benefits Security Administration (EBSA) explains that small group market health insurance coverage may exceed the annual deductible limit if it cannot reasonably reach a given level of coverage (metal tier) without exceeding the deductible limit.

With respect to self-insured and large group health plans, the agencies responsible for implementing the ACA plan to issue a rule to implement §2707(b) of the Public Health Service (PHS) Act, which was added by the ACA, providing that a group health plan must ensure that any annual cost-sharing does not exceed the ACA’s limits on out-of-pocket maximums and deductibles for employer-sponsored plans.

Only plans and issuers in the small group market are required to comply with the deductible limit described in section 1302(c)(2) [of the ACA]. A self-insured or large group health plan will be permitted to rely on the agencies’ stated intent to apply the deductible limits only on plans and issuers in the small group market until such regulations are issued.

As for the annual limit on out-of-pocket maximums, all non-grandfathered group health plans (including large group insured plans and self-insured plans) must comply with the annual limitation on out-of-pocket maximums set forth in §1302(c)(1) of the ACA, which ties the annual limitation on cost sharing for plan years beginning in 2014 to the enrollee out-of-pocket limit for high deductible health plans (HDHP).

A plan’s annual limitation on out-of-pocket maximums will be considered satisfied if the plan complies with the requirements with respect to its major medical coverage (excluding certain coverage such as prescription drug and pediatric dental services) and whether the plan or any health insurance coverage includes an out-of-pocket maximum on coverage that does not consist solely of major medical coverage.

Pursuant to the Mental Health Parity and Addiction Equity Act of 2008 (MHPAEA), however, plans and issuers “are prohibited from imposing an annual out-of-pocket maximum on all medical/surgical benefits and a separate annual out-of-pocket maximum on all mental health and substance use disorder benefits.”

Accreditation

With respect to a timeframe, the rule states that the future Exchanges will be required to establish a uniform period within which a QHP issuer that is not already accredited must become accredited. The OPM will establish the accreditation period for multi-state plans. The rule outlines a multi-year accreditation timeline applicable for federally-facilitated Exchanges.

These regulations are slated to take effect 60 days after publication in the Federal Register, which is scheduled for Monday, February 25, 2013.

New Breach Notification Requirements Released

By Michael P. Pasternack on Posted in Audit and Compliance, HIPAA and Privacy, Regulatory Issues

laptop_data_breach_iStock_000015066702XSmall_400x300The US Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) released final rules on January 17, 2013 governing the privacy and security of protected health information under HIPAA and the HITECH Act.  The new rules take effect March 26, 2013; compliance is expected by September 23, 2013. This post will focus on the changes to the requirements for notifications following a data breach.  Future posts will address changes to Business Associate Agreements, Notices of Privacy Practices, and other key provisions of the new rules.

Reporting to HHS and Affected Individuals

Under the HITECH Act, providers are required to notify HHS and affected individuals of breaches of protected health information.  Since 2009, the OCR has received only 537 reports of breaches affecting 500 or more individuals.   This is a noticeably low number.  Reasons for this include (1) lack of knowledge of the reporting requirements, (2) failure to adequately investigate breaches, and (3) an aggressive approach to risk assessments of breach issues.  The first two are clearly compliance issues that providers should address immediately – there is no excuse for not having a current policy, or failing to investigate an issue, especially as OCR steps up HIPAA enforcement.

For the third, under the old HITECH breach notification rule the majority of breaches were determined by providers to be non-reportable. The risk assessment was based upon whether the breach posed a significant risk of harm (financial, reputational, or other) to the affected individuals.  Most providers who conducted these assessments determined that there were no significant risks and therefore no requirements to report specific breaches.

New Rules, New Considerations

Under the new rules, “an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.”  Risk assessments will now use the following factors: (1) the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the protected health information or to whom the disclosure was made; (3) whether the protected health information was actually acquired or viewed; and (4) the extent to which the risk to the protected health information has been mitigated.

While this still leaves room for the judgment of the provider, it will not be as easy to document that a particular breach is not reportable.  OCR has stated that the old criteria were misinterpreted by providers as setting a higher threshold for reporting than was intended.

In the coming months, providers will need to revisit and update their privacy policies to reflect the new rules.  Privacy officers and their organizations will need to rethink their risk assessments of data breaches, and get used to the fact that they may need to report breaches to HHS and affected individuals more frequently.

“Affordable” Health Coverage Under Obama Care

By Jeffrey P. Rust on Posted in Compensation and Employment, Insurance and Managed Care, Regulatory Issues

As Chris Kutner explained in his January 4, 2013 post, the Patient Protection and Affordable Care Act of 2010 (“PPACA” or “Obama Care”) requires, beginning in 2014, that employers with 50 or more full-time employees (“large employers”) offer “affordable” health insurance to their employees. Failure to do so will subject the employer to penalties. Recently published IRS proposed regulations provide guidance to employers on these potential penalties.

Is your health coverage affordable?

If the health coverage offered by a large employer is not deemed “affordable” and at least one FTE receives a premium tax credit to purchase coverage on an Exchange, the employer will incur a tax under IRC §4980H. An employer’s health coverage is affordable if the employee’s share of the self-only premium under the lowest-cost plan that provides “minimum value” does not exceed 9.5% of the employee’s household income. An employer, of course, will not know the employee’s household income (and the employee will most likely not know his or her household income until year end). For this reason, the IRS has offered a safe harbor that would allow the employer to use the employee’s current W-2 wages instead of the employee’s household income for purposes of determining affordability of the health coverage.

Determining if your lowest-cost plan offers “minimum value”

An employer’s lowest cost plan will fail to provide “minimum value” if the plan’s share of the total allowed cost of benefits provided under the plan is less than 60% of such costs. This is generally understood to be an actuarial value test. Actuarial value is defined as the percent of costs that a health plan will cover, versus the percentage a beneficiary will have to pay directly. So if a large employer’s health insurance plan has an actuarial value of 55%, the plan would, on average, require its employees to directly pay 45% of health expenses, through co-pays, co-insurance, deductibles, etc. The remaining 55% would be paid by the insurer. Thus, the 55% plan would fail to provide minimum value.

Obama Care Employer Mandates: Who Must Comply?

By Christopher J. Kutner on Posted in Audit and Compliance, Corporate and Business, Insurance and Managed Care, Regulatory Issues

The Patient Protection and Affordable Care Act of 2010 (“PPACA” or “Obama Care”) requires, beginning in 2014, that employers with 50 or more full-time employees (“large employers”) offer “affordable” health insurance to its employees. Failure to do so will subject the employer to penalties.

Future blog postings will address the coverage requirements and penalties under PPACA, but to start, what should you be doing in 2013 to determine if the mandate applies to your business?

Defining a “Large Employer”

Whether a business has achieved “large” status under PPACA is measured by calculating the sum of all full-time employees and all FTEs during the prior year (this is why an analysis in 2013 is critical). The number of FTEs is determined by calculating for each month of the prior calendar year (1) the aggregate number of hours worked (excluding any employee exceeding 120 hours) by non-full-time employees (those working less than 30 hours per week) in that month, (2) dividing by 120, (3) adding together the results of (2) for each month and (4) dividing by 12.  Hours worked means hours when an employee is entitled to pay taking into account vacation, sick time etc. Special rules apply to businesses that have irregular vacation periods, such as educational employers, that make determining a monthly calculation more difficult.

More Points to Consider

The mandate applies to for-profit entities, government entities, and tax exempt entities. Affiliated entities under common control will be viewed as one entity in determining whether large employer status applies. Successor employers are considered the same as the predecessor. New employers will be viewed as to whether they reasonably expect to employ at least 50 employees or FTEs during a calendar year.

Note that the common law interpretation of “employer” and “employee” will apply, and an employer’s  classification of independent contractor, consultant or otherwise as opposed to employee will likely receive very close scrutiny . Thus, care should be taken when deciding you are NOT a large employer and therefore exempt from the mandate based on your designation of workers as independent contractors as opposed to employees.

As is evident from the above, there are fairly complicated questions to be answered in determining “large” employer status. If in doubt, seek guidance from your legal expert on the PPACA mandates and/or Labor and Employment Law counsel.

First HHS Settlement for Small HIPAA Breach

By Michael P. Pasternack on Posted in Audit and Compliance, HIPAA and Privacy, Hospitals and Health Care Facilities, Information Technology and EMR, Long Term Care, Home Health and DME, Physicians and Other Licensed Professionals

On January 2, 2013, the US Department of Health and Human Services announced a $50,000 settlement with Hospice of North Idaho for a data breach involving the theft of a lost, unencrypted laptop computer containing the health information of 441 patients.

This settlement is the first for a reported breach affecting fewer than 500 individuals.   HHS Office of Civil Rights Director Leon Rodriguez stated that “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”

A few takeaways from this settlement:

  • All HIPAA covered entities should conduct initial and ongoing risk assessments regarding use of electronic PHI;
  • Providers should develop and adopt policies and procedures regarding the use of mobile devices such as laptops, tablets, and smart phones containing electronic PHI, and appropriate safeguards to implement;
  • Think about who should have access to the devices, how they are protected or encrypted, where they are stored;
  • Providers should carefully investigate all data breaches, no matter how small;
  • After an investigation, review the provisions of the HITECH Act regarding breach notification; must the provider notify HHS immediately, notify the affected individuals, or take other measures?
  • Consult with counsel familiar with HIPAA, HITECH and data breaches to ensure that all Federal and State obligations are being met with an appropriate investigation, response, remedial assessments and policies and procedures.