In our July 10, 2017 post, Concierge Medicine – Is it for you?, we cautioned that Medicare compliance concerns do not fall away when moving to a concierge or direct-pay model.  HHS has determined that concierge-style agreements are permitted as long as Medicare requirements are not violated.  Unless a physician has opted out of Medicare, the predominant requirement is that an access or membership fee cannot be charged to a Medicare patient for services that are already covered by Medicare.  But how does a concierge physician know where to draw the line?  The relevant authorities have issued very limited guidance in this area.

In March 2004, an OIG Alert was issued reminding Medicare participating providers that they may not charge Medicare patients fees for services already covered by Medicare.  OIG used, as an example, a case involving physician’s charge of $600 for a “Personal Health Care Medical Care Contract” that covered, among other things, coordination of care with other providers, a comprehensive assessment and plan for optimum health, and extra time spent on patient care.  Because some of these services were already reimbursable by Medicare, the physician was found to be in violation of his assignment agreement and was subjected to civil money penalties.  The physician entered into a settlement with OIG and was required to stop offering these contracts.

In 2007, OIG settled another case involving a physician engaged in a concierge-style practice.  There, the physician, who also had not opted out of Medicar, asked his patients to enter into a contract under which the patients paid an annual fee. Under the contract, the patient was to be provided with an annual comprehensive physical examination, coordination of referrals and expedited referrals, if medically necessary, and other service amenities.  The physician was similarly found to have violated the Civil Monetary Penalties Law by receiving additional payment for Medicare-covered services and agreed to pay $106,600 to resolve his liability.

As demonstrated by these settlements, violations of a physician’s assignment agreement results in substantial penalties and exclusion from Medicare and other Federal health care programs.  It would behoove a concierge physician to tailor contracts offered to Medicare patients.  Fees charged under such contracts should relate only to noncovered services and amenities.  For example, fees could relate to additional screenings by the concierge physician that are not covered by Medicare or amenities such as private waiting rooms.

According to the GAO’s 2005 Report on Concierge Care Characteristics and Considerations for Medicare, HHS OIG has not issued more detailed guidance on concierge care because its role is to carry out enforcement, not to make policy.  However, physicians with specific concerns regarding the structure of their concierge care agreements or practices may request an advisory opinion from HHS addressing their concerns.  Advisory opinions are legally binding on HHS and the party so long as the arrangement is consistent with the facts provided when seeking the opinion.

Next week, look for the release of Medical Marijuana 105, the fifth post in a series of posts discussing the current state of law in New York regarding medical marijuana.  To read the latest post in the series, Medical Marijuana 104:  Responsibilities of Health Insurers, click here.

This blog post is the third in a series of articles discussing the current state of the law in New York regarding medical marijuana. To read the latest post in the series, Medical Marijuana 102: NYS Registered Organizations and Dispensaries, click here.

In today’s post we’re going to be reviewing the requirements imposed by New York’s Medical Marijuana Program upon patients and certifying practitioners. As of August 22, 2017, 1,184 practitioners have registered with the NYS Department of Health (“DOH”) for the purpose of certifying patients for medical marijuana use and 28,077 patients have been certified for such use.

The DOH authorizes physicians, nurse practitioners and physician assistants to certify patients for medical marijuana use. As we mentioned in Medical Marijuana 101, New York’s Medical Marijuana Program is available only to patients who suffer from one of the following severe, debilitating or life-threatening conditions: cancer, positive status for HIV or AIDS, amyotrophic lateral sclerosis (ALS), Parkinson’s disease, multiple sclerosis, damage to the nervous tissue of the spinal cord with objective neurological indication of intractable spasticity, epilepsy, inflammatory bowel disease, neuropathy, chronic pain, or Huntington’s disease. Patients must also have one of the following associated or complicating conditions: cachexia or wasting syndrome, severe or chronic pain, severe nausea, seizures, or severe or persistent muscle spasms.

Practitioners who wish to certify patients to use medical marijuana must meet four general criteria. First, the practitioner must be qualified to treat patients who suffer from one or more of the serious conditions listed above.

Second, the practitioner must be either (1) a licensed physician who is in good standing as a physician and practicing medicine in New York State, (2) a certified nurse practitioner who is in good standing as a nurse practitioner and practicing in New York State, or (3) a licensed physician assistant who is in good standing as a physician assistant and practicing in New York State under the supervision of a physician registered with the New York State Medical Marijuana Program.

Third, the practitioner must have completed a four-hour course approved by the NYS Health Commissioner. The course must include the following course content: the pharmacology of marihuana; contraindications; side effects; adverse reactions; overdose prevention; drug interactions; dosing; routes of administration; risks and benefits; warnings and precautions; abuse and dependence; and such other components as determined by the commissioner. Currently the Commissioner has only approved two providers, TheAnswerPage and The Medical Cannabis Institute, to offer the course. The course is available to all interested parties, meaning that you can take the course even if you are not in the medical field and/or not looking to certify patients for medical marijuana use.

Lastly, the practitioner must have registered with the DOH. Practitioners can only register with the DOH if they’ve taken the four-hour course. Once a practitioner has completed the registration process they will then have access to the Medical Marijuana Data Management System which will allow them to issue certifications to qualifying patients.

Qualifying patients suffering from the severe illnesses listed above can learn more about whether medical marijuana may help them by speaking with a practitioner that is registered with the program. To help patients locate a registered practitioner, the DOH keeps an updated list of registered practitioners on its website.

Once patients are certified by a registered practitioner for medical marijuana use, patients must register with the DOH by, among other things, providing documentation to prove their identity and NYS residency. When patients register with the DOH they can also designate up to two caregivers. Those caregivers must also register with the DOH using the same online system as the one used by patients. Pursuant to the Compassionate Care Act there is a $50 application fee but the DOH is currently waiving the $50 fee for all patients and their designated caregivers.

Once a patient or caregiver’s registration is processed, the DOH mails a registry ID card directly to the patient or caregiver. Registrations expire when the certification that was issued by the practitioner expires. At this time, New York State does not accept certifications or registry ID cards from other states. This is not unusual as there are currently only three states (Nevada, Hawaii and Maine) that practice full reciprocity and will legally allow, under certain circumstances, out-of-state patients to make purchases at licensed dispensaries.

Now that we’ve learned about the basic regulations covering patients and practitioners we’re going to turn our attention to other important parties that play a role in the medical marijuana industry. Check back soon for Medical Marijuana 104: Responsibilities of Health Insurers. To be sure not to miss the article when it comes out, we invite you to subscribe to the Farrell Fritz New York Health Law Blog.

This blog post is the second in a series of articles discussing the current state of the law in New York regarding medical marijuana. To read the first post in the series, Medical Marijuana 101: The State of the Law in NY, click here.

One of the biggest questions that people have when discussing medical marijuana in New York is where can patients obtain medical marijuana products.

Before a patient can obtain medical marijuana products, he or she must first be issued a certification for medical marijuana by a practitioner, who is registered with the NYS Department of Health’s Medical Marijuana Program, and obtain a Registry Identification Card. Patients can then use that Registry Identification Card to visit a dispensing facility to obtain medical marijuana products. We’ll dive into the requirements imposed upon patients and certifying physicians in our next post and concentrate today on registered organizations and dispensaries.

Registered organizations are responsible for the manufacturing and dispensing of medical marijuana in New York State. At the time that the medical marijuana program was launched in 2016, New York approved five registered organizations: Columbia Care NY LLC, Etain, LLC, MedMen, Inc. (formerly known as Bloomfield Industries Inc.), PharmaCann LLC and Vireo Health of New York LLC (formerly known as Empire State Health Solutions).

On August 1, 2017, the NYS Department of Health announced that it has licensed five new companies to join the original five: Valley Agriceuticals, LLC, Citiva Medical LLC, PalliaTech NY, LLC, NYCanna LLC and Fiorello Pharmaceutics, Inc.

Valley Agriceuticals and Citiva are authorized to bring dispensaries to Brooklyn, Pallia and NYCanna are expected to open somewhere in Queens, and Fiorello Pharmaceutics is authorized to open a dispensary in Manhattan. Each of the new registered organizations received authority to open dispensing facilities in other delineated areas of New York as well. Under the Compassionate Care Act, each registered organization is authorized to have up to four dispensing facilities, meaning that there could be up to forty dispensing facilities statewide if each registered organization is fully developed.

Registered organizations must manufacture medical marijuana products in an indoor, enclosed, secure facility located in New York State and may only manufacture medical marijuana products in forms approved by the Commissioner of Health. These forms include liquid or oil preparations for metered oromucosal or sublingual administration or administration per tube; metered liquid or oil preparations for vaporization; and capsules for oral administration. Smoking, as of now, is not an approved route of administration. On August 10, 2017, the NYS Department of Health proposed broadening the acceptable forms to include ointments, patches, lozenges and chewable tablets.

A certified patient can go to any dispensing facility of a registered organization in New York. This provides greater options to patients as not every dispensing facility sells the same types of medical marijuana. There are currently two New York State-mandated products for medical marijuana which require set ratios of Delta-9-tetrahydrocannabinol (THC) and cannabidiol (CBD), the two main chemicals used in manufacturing medical marijuana. Those two products must be offered by each registered organization, but a registered organization may also offer other products at the dispensing facility that have varying ratios of THC to CBD. It is expected that other products will be offered over time.

In addition, certified patients who are unable to go to a dispensing facility may designate a caregiver who can go for them. Registered organizations are also permitted to offer delivery services to patients and designated caregivers to help expand access to those who are unable to travel to a dispensing facility.

As you might imagine, dispensing facilities are subject to a number of regulations in order to ensure that patient health is properly protected. Among other requirements, dispensing facilities must (1) have a licensed NYS pharmacist on site to directly supervise the facility when open, (2) not sell items other than medical marijuana products approved by the NYS Department of Health, (3) not allow the consumption of the medical marijuana by the patient at the facility, (4) not allow certified patients or their caregivers to consume any food or beverages at the facility unless necessary for medical reasons, (5) maintain a visitor log, and (6) firmly affix a patient-specific dispensing label approved by the Department of Health that is easily readable and includes a delineated list of items. The regulations allow dispensaries to provide up to a 30-day supply of medical marijuana to a certified patient.

Dispensing facilities, as well as the manufacturing facilities operated by registered organizations, must also meet a number of security regulations. Registered organizations must also provide an electronic report to the NYS Department of Health of all approved medical marijuana products that are dispensed within 24 hours after the medical marijuana was dispensed to the certified patient or designated caregiver.

Now that we have a basic understanding of registered organizations and dispensing facilities, check back soon for Medical Marijuana 103: Patient and Physician Regulations in New York State.

Effective March 1, 2017, the New York State Department of Financial Services promulgated regulations to help protect against cybercriminals and their efforts to exploit sensitive electronic data. These cybersecurity regulations apply to all individuals and entities that “operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law”, with a few exceptions.  This will undoubtedly result in insurance companies and other related healthcare entities, which hold sensitive patient health information, beefing up their internal and external rules and policies.  New York’s proactive stance should be taken with the utmost seriousness seeing that there are more than 400 cyberattacks each day over the internet, or almost 3 every minute.

The United States Congress has enacted a similar law to protect health information, the Health Insurance Portability and Accountability Act (“HIPAA”). However, because HIPAA was enacted and modified years prior to cybersecurity becoming a prominent threat to our society, HIPAA does not provide as much protection to patients’ electronic data as the New York regulations do.  HIPAA does provide important guidelines and safeguards to ensure the integrity and confidentiality of protected health information, but does not elaborate on many of the issues presented in New York’s cybersecurity regulations.

New York’s cybersecurity regulations require all “Covered Entities”, as defined in the regulations, to maintain a cybersecurity program to guard the confidentiality of Nonpublic Information, which includes a risk assessment and a comprehensive cybersecurity policy.  In addition, Covered Entities are now required to designate an individual to serve as the Chief Information Security Officer (“CISO”).  The CISO is tasked with overseeing, implementing and enforcing the Covered Entity’s cybersecurity policy, and is required to report, in writing and at least annually, to the Covered Entity’s Board of Directors or similar governing body.  The CISO’s report must include, as applicable, information on “(1) the confidentiality of Nonpublic Information and the integrity and security of the Covered Entity’s Information Systems; (2) the Covered Entity’s cybersecurity policies and procedures; (3) material cybersecurity risks to the Covered Entity; (4) overall effectiveness of the Covered Entity’s cybersecurity program; and (5) material Cybersecurity Events involving the Covered Entity during the time period addressed by the report.”

Compliance with the cybersecurity regulations will be transitioned over a two-year period with full compliance required by March 1, 2019.

The Medicaid Fraud Control Unit (MCFU) of the New York State Office of the Attorney General has recently issued restitution demand letters to providers for allegedly entering into percentage-based contracts with their billing agents. The MCFU letters cite the Medicaid Update March 2001, titled “A Message for Providers Using Service Agents as follows:

Billing agents are prohibited from charging Medicaid providers a percentage of the amount claimed or collected. In addition, such payment arraignments, when entered into by a physician, may violate the Education Law and State Education Department’s regulations on unlawful fee-splitting.

A physician will be guilty of misconduct if he or she permits:

any person to share in the fees for professional services, other than: a partner, employee, associate in a professional firm or corporation, professional subcontractor or consultant authorized to practice medicine, or a legally authorized trainee practicing under the supervision of a licensee. This prohibition shall include any arrangement or agreement whereby the amount received in payment for furnishing space, facilities, equipment or personnel services used by a licensee constitutes a percentage of, or is otherwise dependent upon, the income or receipts of the licensee from such practice, except as otherwise provided by law with respect to a facility licensed pursuant to article twenty-eight of the public health law or article thirteen of the mental hygiene law.

See Educ. Law §6530(19)*.

A physician is subject to professional misconduct charges if he or she has

directly or indirectly requested, received or participated in the division, transference, assignment, rebate, splitting, or refunding of a fee for, or has directly requested, received or profited by means of a credit or other valuable consideration as a commission, discount or gratuity, in connection with the furnishing of professional care or service . . .

See Educ. Law §6531.

The prohibition against fee-splitting is related to the state anti-kickback law which prohibits physicians from

[d]irectly or indirectly offering, giving, soliciting, or receiving or agreeing to receive, any fee or other consideration to or from a third party for the referral of a patient or in connection with the performance of professional services . . .

See Educ. Law §6530 (18).

Licensed professionals in New York State must review their contracts to verify that the compensation paid to their agents is not based on a percentage of fees for professional services.

*A similar rule applies to other licensed professionals. See N.Y. Rules of the Board of Regents §29.1(b)(4).

**In addition to the Federal Anti-Kickback Statute at 42 U.S.C. §1320a-7b(b), New York has enacted its own wide-reaching anti-kickback and anti-referral laws and regulations seeking to eliminate fraud and abuse in healthcare on a statewide basis. The state anti-kickback statue is set forth in the Social Services Law (See N.Y. Social Services Law § 366-d). The N.Y. Education Law addresses matters of professional misconduct rather than violations of fraud and abuse laws and regulations.

The Supreme Court recently allowed liability through the implied certification theory of the False Claims Act (FCA), which was raised and upheld in Universal Health Services, Inc. v. United States ex rel. Escobar. The decision provided for a new applicable standard and resolved the split among circuit courts on whether to recognize the theory.

In Escobar, a teenaged patient was receiving health services from a mental health facility. The patient had an adverse reaction to medication prescribed and died of a seizure. The parents later discovered United Health Services sought reimbursement from MassHealth (the Massachusetts State Medicaid Program) for mental health services provided at the facility by individuals who did not meet the standards for licensure and other requirements. The parents then filed a qui tam suit relying on the implied certification theory of liability. The District Court ruled against the parents finding the claims for reimbursement were not expressly false because the facility made no express statement regarding the service providers. United States ex. rel. Escobar v. Universal Health Services, 780 F.3d 504 (1st Cir. 2015). On appeal, the First Circuit rejected the bright line approach and determined that compliance with licensure and other MassHealth regulatory requirements were conditions of payment sufficient to support an FCA suit. United States ex. rel. Escobar v. Universal Health Services., 780 F.3d 504 (1st Cir. 2015)

The Supreme Court held that implied false certification is a proper basis for liability under the False Claims Act where (1) “the claim does not merely request payment, but also makes specific representations about the goods or services provided”, and (2) “the defendant’s failure to disclose noncompliance with material statutory, regulatory, or contractual requirements makes those representations misleading half-truths.” The Court focused on defining the FCA’s materiality standard as whether the government’s knowledge of the noncompliance “would have” affected their payment decision rather than “could have”. The Court further explained that whether an obligation was a condition of payment relates to, but is not dispositive of, materiality.

Now, after Escobar, FCA plaintiffs must overcome a more demanding materiality standard when relying on implied false certification to establish False Claims Act liability.

Special thanks to Law Clerk Joanna Lima for her assistance in preparing this blog post.

Consumers often seek online reviews of a business on platforms such as Yelp, CitySearch, Yahoo and Google Plus Pages before purchasing products or services. This includes patients seeking online reviews of a physician or other licensed professional before seeking treatment. Unfortunately, a practice known as “Astroturfing” has developed where businesses attempt to create an impression of widespread support for their services or products, where little such support exists. This practice is now occurring in the health care industry.

On December 2, 2016, New York Attorney General Eric T. Schneiderman announced a $100,000 settlement with the urgent care medical service provider MedRite, LLC, d/b/a Medrite Urgent Care (“Medrite”). According to the announcement, Medrite paid thousands of dollars to internet advertising companies and freelance writers for positive reviews on consumer opinion websites. However, Medrite never required that reviewers visit a Medrite facility or experience Medrite’s services, and Medrite never disclosed that the reviewers were paid for the review.

The announcement cites New York Executive Law §63 (12) and the General Business Law §349 and 350 which prohibit misrepresentation and deceptive acts or practices in the conduct of any business. The announcement further cites the FTC “Guidelines on the use of endorsements and testimonials in advertising” (16 CFR Part 255) which state that it is a deceptive practice to solicit endorsement support for a product or service without disclosing material connections between the endorser and the advertiser sponsor. Medrite never disclosed that the reviewers were paid by the review. Under the settlement, Medrite is prohibited from falsely saying that someone promoting its services is an independent party and it cannot pay an endorser unless the payment is disclosed.

Picture1Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) is the first business associate to be held directly liable for violations under the HIPAA rules. CHCS provided management and information technology services to six nursing homes. According to the OCR Resolution Agreement, OCR received separate notifications from each of the six nursing homes regarding a breach of unsecured electronic protected health information (ePHI) by CHCS resulting from the theft of a CHCS mobile device. The mobile device containing ePHI of 412 nursing home residents was neither encrypted nor password-protected. The settlement includes a monetary payment of $650,000 and a two-year corrective action plan.

OCR’s investigation concluded that:

  1. CHCS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by CHCS; and
  2. CHCS failed to implement appropriate security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level to comply with the HIPAA Security Rule.

It is important for Business Associates and subcontractors of Business Associates to understand that since enactment of the Omnibus Rule in 2013, Business Associates and their subcontractors can be held directly liable for HIPAA violations, including the failure to conduct appropriate risk assessments and the failure to adopt adequate written policies and procedures to reduce the risk of violations.

The Department of Health and Human Services, Office for Civil Rights (“OCR”), enforces the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). This includes the requirement that Covered Entities (health care providers and health plans) have Business Associate Agreements with their “Business Associates.”

“Business Associates” are persons or entities who “create, receive, maintain or transmit Protected Health Information (“PHI”) in performing services on behalf of a Covered Entity. Furthermore, a subcontractor of a Business Associate that creates, receives, maintains or transmits PHI on behalf of a Business Associate is also a “Business Associate.”

Both Covered Entities and Business Associates are directly liable for failing to have a compliant Business Associate Agreement in place. In addition, Business Associates must have Business Associate Agreements with their subcontractors who create, receive, maintain or transmit PHI on behalf of a Business Associate.

Recent cases of OCR enforcement for failure to have a required Business Associate Agreement include:

  • North Memorial Health Care of Minnesota agreed to pay $1.55 million to settle OCR charges for failing to have a Business Associate Agreement in place when a business associate’s laptop containing thousands of individuals’ PHI was lost.
  • Raleigh Orthopedic Clinic agreed to pay $750,000 and to enter into a Corrective Action Plan in settlement of OCR charges that it failed to have a Business Associate Agreement in place with its Business Associate engaged to transfer x-rays to electronic media.
  • Triple-S Management Corporation agreed to pay $3.5 million to settle OCR charges of multiple violations, including “impermissible disclosure of its beneficiaries’ PHI to an outside vendor without having a required Business Associate Agreement in place.”

To avoid multi-million dollar settlements, Covered Entities must evaluate their relationships with third parties, and Business Associates must evaluate their relationships with subcontractors, to ensure required Business Associate Agreements are in place. Covered Entities and Business Associates should consider adopting written policies and procedures regarding their Business Associates and subcontractors to demonstrate their efforts at compliance.

 

*My thanks to Farrell Fritz summer associate Joanna Lima for her assistance with this blog posting.

imagesPA8ET6EQIn our previous post [found here], we explained that, under the Privacy Rule, HIPAA covered entities (health care providers and health plans) must provide individuals and their “personal representatives” with access to the individual’s protected health information. An individual’s personal representative is determined under State law. In this post, we will define who is a “personal representative” under New York law.

Section 18(2) of the New York Public Health Law (PHL) states that, upon written request, a health care provider shall provide an opportunity, within ten days, for a patient to inspect the patient’s information concerning or relating to the examination or treatment of the patient. Upon the written request of any qualified person, a health care provider shall furnish to the qualified person, within a reasonable time, a copy of any patient information requested which the authorized person may inspect. The law provides no specific time period by which copies of medical records must be provided. However, the New York State Department of Health considers 10 to 14 days to be a reasonable time in which a practitioner should respond to such a request.

A “qualified person” under PHL§ 18(1)(g) includes:

  1. the properly identified patient;
  2. a guardian for an incapacitated person appointed under article eighty-one of the mental hygiene law;
  3. a parent of an infant or a guardian of an infant appointed under article seventeen of the Surrogate’s Court Procedure Act or other legally appointed guardian of an infant who may request access to a clinical record;
  4. a distributee of any deceased subject for whom no personal representative, as defined in the Estates, Powers and Trusts Law, has been appointed; or
  5. an attorney representing a qualified person or the subject’s estate who holds a power of attorney from the qualified person or the subject’s estate explicitly authorizing the holder to execute a written request for patient information.

PHL§ 18(1)(g) states that a qualified person shall be deemed a “personal representative of the individual” for purposes of HIPAA and its implementing regulations. Although not a “qualified person,” an agent appointed under a patient’s Health Care Proxy may also receive medical information and medical and clinical records necessary to make informed decisions regarding the patient’s health care (See PHL § 2982(3)). Presumably, the holder of a Health Care Proxy would also be a “personal representative of the individual” for purposes of HIPAA, although there is no explicit statement to that effect in PHL § 2982.

There are circumstances where a qualified person may be denied access to inspect or obtain a copy of the patient’s records. In the next post, we will explain those circumstances.