The Medicaid Fraud Control Unit (MCFU) of the New York State Office of the Attorney General has recently issued restitution demand letters to providers for allegedly entering into percentage-based contracts with their billing agents. The MCFU letters cite the Medicaid Update March 2001, titled “A Message for Providers Using Service Agents as follows:

Billing agents are prohibited from charging Medicaid providers a percentage of the amount claimed or collected. In addition, such payment arraignments, when entered into by a physician, may violate the Education Law and State Education Department’s regulations on unlawful fee-splitting.

A physician will be guilty of misconduct if he or she permits:

any person to share in the fees for professional services, other than: a partner, employee, associate in a professional firm or corporation, professional subcontractor or consultant authorized to practice medicine, or a legally authorized trainee practicing under the supervision of a licensee. This prohibition shall include any arrangement or agreement whereby the amount received in payment for furnishing space, facilities, equipment or personnel services used by a licensee constitutes a percentage of, or is otherwise dependent upon, the income or receipts of the licensee from such practice, except as otherwise provided by law with respect to a facility licensed pursuant to article twenty-eight of the public health law or article thirteen of the mental hygiene law.

See Educ. Law §6530(19)*.

A physician is subject to professional misconduct charges if he or she has

directly or indirectly requested, received or participated in the division, transference, assignment, rebate, splitting, or refunding of a fee for, or has directly requested, received or profited by means of a credit or other valuable consideration as a commission, discount or gratuity, in connection with the furnishing of professional care or service . . .

See Educ. Law §6531.

The prohibition against fee-splitting is related to the state anti-kickback law which prohibits physicians from

[d]irectly or indirectly offering, giving, soliciting, or receiving or agreeing to receive, any fee or other consideration to or from a third party for the referral of a patient or in connection with the performance of professional services . . .

See Educ. Law §6530 (18).

Licensed professionals in New York State must review their contracts to verify that the compensation paid to their agents is not based on a percentage of fees for professional services.

*A similar rule applies to other licensed professionals. See N.Y. Rules of the Board of Regents §29.1(b)(4).

**In addition to the Federal Anti-Kickback Statute at 42 U.S.C. §1320a-7b(b), New York has enacted its own wide-reaching anti-kickback and anti-referral laws and regulations seeking to eliminate fraud and abuse in healthcare on a statewide basis. The state anti-kickback statue is set forth in the Social Services Law (See N.Y. Social Services Law § 366-d). The N.Y. Education Law addresses matters of professional misconduct rather than violations of fraud and abuse laws and regulations.

The Supreme Court recently allowed liability through the implied certification theory of the False Claims Act (FCA), which was raised and upheld in Universal Health Services, Inc. v. United States ex rel. Escobar. The decision provided for a new applicable standard and resolved the split among circuit courts on whether to recognize the theory.

In Escobar, a teenaged patient was receiving health services from a mental health facility. The patient had an adverse reaction to medication prescribed and died of a seizure. The parents later discovered United Health Services sought reimbursement from MassHealth (the Massachusetts State Medicaid Program) for mental health services provided at the facility by individuals who did not meet the standards for licensure and other requirements. The parents then filed a qui tam suit relying on the implied certification theory of liability. The District Court ruled against the parents finding the claims for reimbursement were not expressly false because the facility made no express statement regarding the service providers. United States ex. rel. Escobar v. Universal Health Services, 780 F.3d 504 (1st Cir. 2015). On appeal, the First Circuit rejected the bright line approach and determined that compliance with licensure and other MassHealth regulatory requirements were conditions of payment sufficient to support an FCA suit. United States ex. rel. Escobar v. Universal Health Services., 780 F.3d 504 (1st Cir. 2015)

The Supreme Court held that implied false certification is a proper basis for liability under the False Claims Act where (1) “the claim does not merely request payment, but also makes specific representations about the goods or services provided”, and (2) “the defendant’s failure to disclose noncompliance with material statutory, regulatory, or contractual requirements makes those representations misleading half-truths.” The Court focused on defining the FCA’s materiality standard as whether the government’s knowledge of the noncompliance “would have” affected their payment decision rather than “could have”. The Court further explained that whether an obligation was a condition of payment relates to, but is not dispositive of, materiality.

Now, after Escobar, FCA plaintiffs must overcome a more demanding materiality standard when relying on implied false certification to establish False Claims Act liability.

Special thanks to Law Clerk Joanna Lima for her assistance in preparing this blog post.

Consumers often seek online reviews of a business on platforms such as Yelp, CitySearch, Yahoo and Google Plus Pages before purchasing products or services. This includes patients seeking online reviews of a physician or other licensed professional before seeking treatment. Unfortunately, a practice known as “Astroturfing” has developed where businesses attempt to create an impression of widespread support for their services or products, where little such support exists. This practice is now occurring in the health care industry.

On December 2, 2016, New York Attorney General Eric T. Schneiderman announced a $100,000 settlement with the urgent care medical service provider MedRite, LLC, d/b/a Medrite Urgent Care (“Medrite”). According to the announcement, Medrite paid thousands of dollars to internet advertising companies and freelance writers for positive reviews on consumer opinion websites. However, Medrite never required that reviewers visit a Medrite facility or experience Medrite’s services, and Medrite never disclosed that the reviewers were paid for the review.

The announcement cites New York Executive Law §63 (12) and the General Business Law §349 and 350 which prohibit misrepresentation and deceptive acts or practices in the conduct of any business. The announcement further cites the FTC “Guidelines on the use of endorsements and testimonials in advertising” (16 CFR Part 255) which state that it is a deceptive practice to solicit endorsement support for a product or service without disclosing material connections between the endorser and the advertiser sponsor. Medrite never disclosed that the reviewers were paid by the review. Under the settlement, Medrite is prohibited from falsely saying that someone promoting its services is an independent party and it cannot pay an endorser unless the payment is disclosed.

Picture1Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) is the first business associate to be held directly liable for violations under the HIPAA rules. CHCS provided management and information technology services to six nursing homes. According to the OCR Resolution Agreement, OCR received separate notifications from each of the six nursing homes regarding a breach of unsecured electronic protected health information (ePHI) by CHCS resulting from the theft of a CHCS mobile device. The mobile device containing ePHI of 412 nursing home residents was neither encrypted nor password-protected. The settlement includes a monetary payment of $650,000 and a two-year corrective action plan.

OCR’s investigation concluded that:

  1. CHCS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by CHCS; and
  2. CHCS failed to implement appropriate security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level to comply with the HIPAA Security Rule.

It is important for Business Associates and subcontractors of Business Associates to understand that since enactment of the Omnibus Rule in 2013, Business Associates and their subcontractors can be held directly liable for HIPAA violations, including the failure to conduct appropriate risk assessments and the failure to adopt adequate written policies and procedures to reduce the risk of violations.

The Department of Health and Human Services, Office for Civil Rights (“OCR”), enforces the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). This includes the requirement that Covered Entities (health care providers and health plans) have Business Associate Agreements with their “Business Associates.”

“Business Associates” are persons or entities who “create, receive, maintain or transmit Protected Health Information (“PHI”) in performing services on behalf of a Covered Entity. Furthermore, a subcontractor of a Business Associate that creates, receives, maintains or transmits PHI on behalf of a Business Associate is also a “Business Associate.”

Both Covered Entities and Business Associates are directly liable for failing to have a compliant Business Associate Agreement in place. In addition, Business Associates must have Business Associate Agreements with their subcontractors who create, receive, maintain or transmit PHI on behalf of a Business Associate.

Recent cases of OCR enforcement for failure to have a required Business Associate Agreement include:

  • North Memorial Health Care of Minnesota agreed to pay $1.55 million to settle OCR charges for failing to have a Business Associate Agreement in place when a business associate’s laptop containing thousands of individuals’ PHI was lost.
  • Raleigh Orthopedic Clinic agreed to pay $750,000 and to enter into a Corrective Action Plan in settlement of OCR charges that it failed to have a Business Associate Agreement in place with its Business Associate engaged to transfer x-rays to electronic media.
  • Triple-S Management Corporation agreed to pay $3.5 million to settle OCR charges of multiple violations, including “impermissible disclosure of its beneficiaries’ PHI to an outside vendor without having a required Business Associate Agreement in place.”

To avoid multi-million dollar settlements, Covered Entities must evaluate their relationships with third parties, and Business Associates must evaluate their relationships with subcontractors, to ensure required Business Associate Agreements are in place. Covered Entities and Business Associates should consider adopting written policies and procedures regarding their Business Associates and subcontractors to demonstrate their efforts at compliance.

 

*My thanks to Farrell Fritz summer associate Joanna Lima for her assistance with this blog posting.

imagesPA8ET6EQIn our previous post [found here], we explained that, under the Privacy Rule, HIPAA covered entities (health care providers and health plans) must provide individuals and their “personal representatives” with access to the individual’s protected health information. An individual’s personal representative is determined under State law. In this post, we will define who is a “personal representative” under New York law.

Section 18(2) of the New York Public Health Law (PHL) states that, upon written request, a health care provider shall provide an opportunity, within ten days, for a patient to inspect the patient’s information concerning or relating to the examination or treatment of the patient. Upon the written request of any qualified person, a health care provider shall furnish to the qualified person, within a reasonable time, a copy of any patient information requested which the authorized person may inspect. The law provides no specific time period by which copies of medical records must be provided. However, the New York State Department of Health considers 10 to 14 days to be a reasonable time in which a practitioner should respond to such a request.

A “qualified person” under PHL§ 18(1)(g) includes:

  1. the properly identified patient;
  2. a guardian for an incapacitated person appointed under article eighty-one of the mental hygiene law;
  3. a parent of an infant or a guardian of an infant appointed under article seventeen of the Surrogate’s Court Procedure Act or other legally appointed guardian of an infant who may request access to a clinical record;
  4. a distributee of any deceased subject for whom no personal representative, as defined in the Estates, Powers and Trusts Law, has been appointed; or
  5. an attorney representing a qualified person or the subject’s estate who holds a power of attorney from the qualified person or the subject’s estate explicitly authorizing the holder to execute a written request for patient information.

PHL§ 18(1)(g) states that a qualified person shall be deemed a “personal representative of the individual” for purposes of HIPAA and its implementing regulations. Although not a “qualified person,” an agent appointed under a patient’s Health Care Proxy may also receive medical information and medical and clinical records necessary to make informed decisions regarding the patient’s health care (See PHL § 2982(3)). Presumably, the holder of a Health Care Proxy would also be a “personal representative of the individual” for purposes of HIPAA, although there is no explicit statement to that effect in PHL § 2982.

There are circumstances where a qualified person may be denied access to inspect or obtain a copy of the patient’s records. In the next post, we will explain those circumstances.

Picture1Under the Privacy Rule, HIPAA covered entities (health care providers and health plans) are required to provide individuals, upon request, with access to their protected health information (PHI) in one or more “designated record sets” maintained by or for the covered entity.

Covered entities are also required to protect the individual’s PHI from unauthorized disclosure. How must a covered entity verify the identity of the individual requesting the PHI so as to comply with the Privacy Rule without at the same time violating it?

Recent guidance from the Office of Civil Rights (OCR) is somewhat helpful.

According the guidance, the Privacy Rule requires a covered entity to take “reasonable steps” to verify the identity of an individual requesting access (citing 45 CFR 164.514(h)).  OCR confirms the Privacy Rule does not mandate the form of verification, but rather leaves the manner of verification to the professional judgment of the covered entity, provided the verification processes and measures “do not create barriers to or unreasonably delay the individual from obtaining access to her PHI”.  OCR explains that verification may be oral or in writing and states that the type of verification depends on how the individual is requesting or receiving access. For instance, a person may request access in person, by phone, by fax or e-mail, or through a web portal hosted by the covered entity.

OCR suggests that standard request forms ask for basic information about the individual to enable the covered entity to verify the individual is the subject of the information requested.  For those covered entities providing individuals with access to their PHI through web portals, the portals should be set up with appropriate authentication controls, as required by the HIPAA Security Rule (for instance password protection and required periodic password updates).

For individuals who may call requesting access to their PHI, good policy might require verification of the requestors date of birth, address, and perhaps the condition the individual was treated for.

Verifying the authority of an individual’s personal representative is determined under State law. In the next blog post, we will look at the law in New York on who is a qualified person for purposes of access to an individual’s medical records.

imagesNG7ROJJTCMS has published a Proposed Rule to clarify how physicians are to bill for services furnished “incident to” the professional services of a physician.

When a medical practice bills Medicare “incident to” for NPP services (i.e. “non-physician practitioners” such as nurses or physician assistants), the bill is rendered by the physician using the physician’s NPI number. Incident to services billed by the physician are paid at 100 percent of the fee schedule amount even though the physician did not perform the services. When the same services are billed by the NPP, the services are paid at 85 percent of the fee schedule amount. Specific requirements must be met for physicians to bill Medicare for incident to services. The services must be:

  • Furnished in a noninstitutional setting to noninstitutional patients.
  • An integral, though incidental, part of the service of a physician in the course of diagnosis or treatment of an injury or illness (understood to mean a physician has seen the patient first and initiated a plan of care being carried out by the NPP).
  • Furnished under direct supervision of a physician or other practitioner eligible to bill and directly receive Medicare payment (meaning the physician is present in the office suite).
  • Furnished by a physician, a practitioner with an incident to benefit, or auxiliary personnel.

NPP services may be billed under the physician’s NPI number when the services are part of the patient’s normal course of treatment, during which a physician performed an initial service and remains actively involved in the treatment.

The current regulations have caused confusion. The regulations state that the “physician supervising the auxiliary personnel need not be the same physician upon whose professional service the incident to service is based.” My interpretation of this is that a physician other than the physician that initiated the plan of care may supervise the NPP in the provision of services and such services will qualify as “incident to” if all other requirements are met. What remains unclear is which physician should bill for the incident to services, the supervising physician or the physician that initiated the plan of care. The proposed rule attempts to clarify that the billing physician must be the physician that supervised the services and not the physician that initially saw the patient and instituted the plan of care.

Care must be taken to ensure the supervising physician’s NPI number is used. This can be a challenge in busy medical offices where the physicians are regularly in the OR or conducting rounds.

Physicians often practice through a limited liability entity to shield the physician from practice liabilities. In New York, such entities may take the form of a professional service corporation, professional limited liability company, or professional limited liability partnership. Regardless of the type of entity selected, professionals in New York remain “personally and fully liable and accountable for any negligent or wrongful act or misconduct committed by him or her or by any person under his or her direct supervision and control while rendering professional services on behalf of [the entity],” See NY BCL§1505(a); NY LLCL §1205; N.Y. PTR. LAW § 26(c).

The issue of whether certain alleged tortfeasers were under a physician-shareholder’s “direct supervision and control” was recently presented in Schaefer v. Mackinnon, 117235/09, NYLJ 1202669507383, at *1 (Sup., NY, Decided August 27, 2014). In Schaefer, Plaintiffs Frank Schaefer and his wife, Maria Schaefer, brought a medical malpractice suit against Broadway Cardiopulmonary, P.C. and its four shareholders for injuries Mr. Schaefer sustained during a cardiac stress test. Additional defendants include the alleged tortfeasers, David Mackinnon, M.D., a non-shareholder physician, a medical assistant and a medical technologist, all employees of Broadway Cardiopulmonary, P.C.  According to the record, the test was ordered by Dr. Mackinnon, but Dr. Mackinnon did not interview or examine Mr. Schaefer prior to or during the course of testing. The test was administered by the medical technologist who apparently left the room during testing. Mr. Schaefer passed out and fell resulting in injuries.

The defendant shareholders moved for summary judgment arguing they did not directly supervise or control the alleged tortfeasers during the rendering of professional services as the test was performed by the other named defendants and not the shareholders. Plaintiffs opposed the motion stating the shareholders failed to implement guidelines, controls and procedures for proper and safe testing.

In analyzing the issue, Justice Joan B. Lobis looked to the Appellate Divisions ruling in Wise v. Greenwald, 208 A.D.2d 1141 (3rd Dep’t 1994).

“In Wise, the appellate court considered the liability under Section 1505(a) of the Business Corporation Law of a shareholder of a dental practice, whose employee dentist allegedly negligently extracted Wise’s tooth. Indicia of liability included the shareholder’s hiring responsibilities, setting hours of operation, evaluation of employees, and whether any intermediary supervisor lay between the shareholder and employee whose actions were at issue. Id. at 1142. Applying these factors, the Wise Court affirmed the denial of the shareholder’s motion for summary judgment. Id. at 1143.”

Turning to the case at hand, Justice Lobis looked to the testimony of the defendants finding that

• the four shareholders met at least every two months to discuss practice operations;

• all four shareholders signed the office lease, approved of the imaging machine at issue, and ordered medical and office supplies;

• all four shareholders hired and/or evaluated Dr. Mackinnon and the defendant medical technologist;

• one of the shareholders regularly discussed operational issues and staff scheduling with Dr. Mackinnon;

• the shareholders had the power to terminate employees;

• the medical technologist testified he reported directly to one of the shareholders yet he had not been trained or given procedures to follow in operating the imaging machine, he failed to monitor blood pressure, respiration or pulse before the resting portion of the stress test and he was not instructed to remain in the room with the patient during the equipment’s operation.

Based on the record, Justice Lobis found that genuine issues of material fact remain for a jury to determine whether the shareholders are liable for the actions of other persons at the practice.

Direct supervision and control by a shareholder-physician goes beyond supervision of the professional care provided. Shareholder-physicians who take on administrative oversight  responsibilities can be liable if they fail to properly train and control persons rendering professional services for the practice.

Alternatives to the hospital emergency room and primary care doctor’s office are opening in strip malls and other retail locations throughout the country. New York State is no exception. In an effort to provide oversight for these walk-in clinics, New York’s Public Health and Health Planning Council (PHHPC) has recommended regulations for these facilities.

The recommendations would place walk-in clinics into one of four categories:
1. Limited Services Clinics (Retail Clinics);
2. Urgent Care;
3. Hospital-Sponsored Freestanding Emergency Departments; and
4. Non-Hospital Surgery- Ambulatory Surgery Centers and Office-Based Surgery.

The recommendations for each category of walk-in clinic are summarized below:

Limited Services Clinics (Retail Clinics)

• The name, marketing materials and all signage would be required to include the term “Limited Services Clinic.”
• Services would be limited to episodic care related to minor ailments and immunizations.
• Surgical, dental, physical rehabilitation, mental health, substance abuse and birth center services would not be permitted.
• No dispensing of controlled substances would be permitted.
• No services could be administered to children 24 months of age or younger.
• No childhood immunizations to patients under 18 years of age (except influenza) would be permitted.
• Accreditation by a national organization approved by the NYS Department of Health (DOH) would be required.
• The clinic would be required to have a Medical Director at the corporate level who is licensed to practice medicine in New York.

Urgent Care Providers

• Urgent Care would be limited to treatment of acute episodic illness or minor traumas.
• Services required would include:

  • unscheduled, walk-in visits typically with extended hours on weekends and weekdays;
  • Ex-ray and EKG;
  • Laceration repair; and
  • Crash cart supplies and medications

• The term “Urgent Care” would be required in the name and in all signage at the provider site and in all marketing materials. Other commercial terms could still be used in the provider’s name, but would need to include “Urgent Care” (e.g. “FastMed Urgent Care”).
• The word “Emergency” or its variations would not be permitted for urgent care providers unless licensed by New York State as an emergency department.
• Non-article 28 Urgent Care would require accreditation. No CON review required.
• Article 28 Urgent Care not otherwise accredited would be surveyed by DOH.
• Existing Article 28 Hospital or D&TC providers wanting to provide Urgent Care would require a limited review of their operating certificate.
• Private physician practices affiliated with an Article 28 may provide urgent care if they are accredited or become an Article 28 through CON review.
• Establishment of a new Article 28 Hospital or D&TC to provide urgent care services would require CON review.

Freestanding Emergency Departments

• Hospital-sponsored off-campus “emergency department” would be defined as an emergency department that is hospital-owned and geographically removed from the hospital campus.
• PHHPC recommends that the sponsored off-campus emergency department use the name of the Hospital that owns the facility followed by “Satellite Emergency Department”.
• The facility would be subject to the same standards as a hospital-based emergency department regarding training of providers, staffing, and the array of services provided at the facility.
• Establishment of an off-campus emergency department would require full CON review.
• Accreditation would be required.

Non-Hospital Surgery

• No changes are recommended regarding ambulatory surgery.
• New and existing office-based surgery practices would require registration with DOH.
• All physician practices performing procedures utilizing more than minimal sedation would require accreditation and the provision of adverse event reports.

Limited Services Clinics, Urgent Care providers and Hospital-Sponsored Freestanding Emergency Departments would be required to utilize electronic medical records.  Further, these facilities would be required to provide a list of primary care providers to any patient indicating that they do not have a primary care provider. These clinics would also be required to recommend that the patient schedule an initial or annual appointment with a primary care provider and develop policies and procedures to identify and limit repeat encounters with patients.