Long Term Care, Home Health and DME

The New York State Department of Labor (the “DOL”) issued an emergency regulation clarifying its minimum-wage rules regarding home care employees. The emergency regulation provides that sleep and meal times for home care aides who work shifts of 24 hours or more are not counted as hours worked. Recently, there has been a ringing dissonance between the DOL and decisions set forth by the New York State Appellate Divisions, First and Second Departments, regarding whether home care workers should be paid for an entire 24-hour shift, including sleep and meal time. In fact, the DOL expressly cited the fact that the emergency regulation is being promulgated in direct reaction to decisions issued by the New York State Appellate Divisions. For reference, the decisions triggering the emergency regulation are: Moreno v. Future Care Health Servs., Inc., 2017 N.Y. App. Div. LEXIS 6462 (2d Dept Sept. 13, 2017); (2d Dep’t Sept. 13, 2017); Andreyeyeva v. New York Health Care, Inc., 2017 N.Y. App. Div. LEXIS 6408 (2d Dep’t Sept. 13, 2017); and Tokhtaman v. Human Care, LLC, 149 A.D.3d 476 (1st Dep’t Apr. 11, 2017).

The above-referenced decisions effectively flipped the New York home care industry on its head, each holding, in sum, that home care workers were entitled to pay for all 24 hours worked, including sleep and meal time. Enter the DOL, on October 5, 2017, who quickly put any remaining ambiguity to rest once and for all stating “that hours worked may exclude meal periods and sleep times for home care aides who work shifts of 24 hours or more”. The DOL reasoned that “[t]his regulation is needed to preserve the status quo, prevent the collapse of the homecare industry, and avoid institutionalizing patients who could be cared for at home, in the face of recent decisions by the State Appellate divisions that treat meal periods and sleep time [as hours worked]”.

The emergency regulation is expected to return the home care industry back to normalcy and prevent home care agencies from ceasing to provide “vital, lifesaving care” to thousands of New Yorkers who depend on it. The DOL explained that this “emergency adoption amends the relevant regulations to codify the Commissioner’s longstanding and consistent interpretations that such meal periods and sleep times do not constitute hours worked for purposes of minimum wage and overtime requirements”. And so, the longstanding rule about sleeping on the job still stands: you won’t get paid for it in New York.

Note:  Special thanks to our law clerk, Nicholas G. Moneta, for his assistance in drafting this blog post.

In our previous post, Medical Marijuana 103: Patient and Practitioner Regulations in New York State, we discussed that patients certified for medical marijuana use can designate up to two caregivers. Caregivers can assist patients who are unable to pick up medical marijuana at a dispensing facility or are unable to administer medical marijuana to themselves properly.

Previously the Medical Marijuana Program only allowed for designated caregivers to be natural persons. On October 5, 2017, however, the New York State Department of Health (“DOH”) issued emergency regulations that expand the definition of caregiver to allow certain facilities to be designated caregivers. By expanding the definition in this way, patients who are located in or reside at certain facilities can designate their facility as their caregiver, thus making it easier for such patients to obtain medical marijuana.

The new regulations define a designated caregiver as either a natural person or a facility. The term “facility” is further defined as, among others, hospitals, adult day care facilities, community mental health residences, and private and public schools. In addition, each division, department, component, floor or other unit of a parent facility may be designated as a “facility” for purposes of being designated a caregiver.

Just like natural persons, facilities will need to register with the DOH in order to be designated a caregiver for purposes of the Medical Marijuana Program. Once registered with the DOH facilities will be authorized to lawfully possess, acquire, deliver, transfer, transport and/or administer medical marijuana to certified patients residing in, or attending, that facility.

The DOH considered alternatives prior to issuing the emergency regulations, stating:

The Department could have chosen to keep the status quo and not allow patients to designate facilities as designated caregivers. The Department could have also allowed certified patients to designate an individual within the facility to be a caregiver. However, these options are not viable since patients in facilities may be cared for by multiple staff members in the course of a day. Certified patients have severe debilitating or life-threatening conditions and the regulatory amendments would help to prevent adverse events associated with abrupt discontinuation of a treatment alternative that may be providing relief for certified patients in these facilities.”

The regulations were published in the New York State Register on October 25, 2017. The DOH will accept comments from the public for a minimum of 45 days following the date of publication. After publication in the Register and receipt of public comment, the agency may either adopt, revise or withdraw the proposal. This change is just one of the latest revisions implemented by the DOH in an attempt to strengthen and expand New York’s struggling Medical Marijuana Program.

Picture1Under the Privacy Rule, HIPAA covered entities (health care providers and health plans) are required to provide individuals, upon request, with access to their protected health information (PHI) in one or more “designated record sets” maintained by or for the covered entity.

Covered entities are also required to protect the individual’s PHI from unauthorized disclosure. How must a covered entity verify the identity of the individual requesting the PHI so as to comply with the Privacy Rule without at the same time violating it?

Recent guidance from the Office of Civil Rights (OCR) is somewhat helpful.

According the guidance, the Privacy Rule requires a covered entity to take “reasonable steps” to verify the identity of an individual requesting access (citing 45 CFR 164.514(h)).  OCR confirms the Privacy Rule does not mandate the form of verification, but rather leaves the manner of verification to the professional judgment of the covered entity, provided the verification processes and measures “do not create barriers to or unreasonably delay the individual from obtaining access to her PHI”.  OCR explains that verification may be oral or in writing and states that the type of verification depends on how the individual is requesting or receiving access. For instance, a person may request access in person, by phone, by fax or e-mail, or through a web portal hosted by the covered entity.

OCR suggests that standard request forms ask for basic information about the individual to enable the covered entity to verify the individual is the subject of the information requested.  For those covered entities providing individuals with access to their PHI through web portals, the portals should be set up with appropriate authentication controls, as required by the HIPAA Security Rule (for instance password protection and required periodic password updates).

For individuals who may call requesting access to their PHI, good policy might require verification of the requestors date of birth, address, and perhaps the condition the individual was treated for.

Verifying the authority of an individual’s personal representative is determined under State law. In the next blog post, we will look at the law in New York on who is a qualified person for purposes of access to an individual’s medical records.

An interesting SDNY settlement agreement resolves some False Claims Act allegations, but leaves others for another day.  Visiting Nurse Service of New York (VNS) paid just under $35 million to the United States and New York State to settle allegations that VNS improperly billed Medicaid for 1,740 members whose needs did not qualify for a managed care plan.  The government alleged that these members were improperly referred by social adult day care centers (SADCC), or received services primarily from SADCCs, many of which provided substandard and minimal care.   

In the settlement agreement, VNS admitted that 1,740 Medicaid long term care  program members were referred by SADCCs or used SADCC services, and were not eligible to be members of the plan; and that various SADCCs in the provider network did not provide services that qualified as “personal care services” under the long term care program contract with New York’s Department of Health. 

The settlement agreement has a unique “Remaining Investigation” provision.  Most FCA settlement agreements are designed to settle all claims against the defendants.  The VNS settlement agreement, however, provides that it resolves only part of the United States investigation. Examples of allegations that are part of the “Remaining Investigation” are redacted in the publicly-filed document.  In a provision that could lead to interesting questions of interpretation, VNS agrees  “to cooperate with the Remaining Investigation,” but without waiving attorney-client or joint defense privileges, work product protections, or factual or legal defenses covering claims the government may bring against VNS.  The issue of whether VNS is satisfying its duty of cooperation under the agreement while maintaining assertions of privilege and factual and legal defenses will be difficult to sort out if it is ever litigated.  The settlement agreement carves out any potential claims against the president of the corporation that administered the managed health care plan, so that individual could be the focus of the “Remaining Investigation.”  In addition, the Court approved keeping the relator’s complaint and the government’s complaint-in-intervention under seal.

During the pendency of the “Remaining Investigation,” VNS agrees to monitor and further revise standards for credentialing SADCCs; only credential SADCCs that have necessary certificates; monitor SADCCs to ensure compliance with credentialing; ensure that SADCCs provide proper personal care services; and prohibit marketing practices directed at enrolling members through SADCCs.

Earlier this month, a bill to amend the False Claims Act (“FCA”), the “Fairness in Health Care Claims, Guidance and Investigations Act,” was introduced in the House of Representatives.  According to one of the bill’s sponsors, Rep. Howard Coble (R-NC), the bill’s purpose is to ensure that unintentional billing disputes are not penalized as fraud.

Some parts of the bill are unlikely to gain wide support.  First, the bill requires that before the Department of Justice (“DOJ”) requests information from a health care provider as part of an investigation, it would have to certify that the responsible agency had examined all regulations, guidelines and billing instructions, all communications with the alleged perpetrator, and each of the allegedly false claims, and certify that the allegations are viable and that the regulations, guidelines and billing instructions were unambiguous at the time of the violation.  Without such a certification, the Court would be required to dismiss a qui tam complaint based on those allegations.

When DOJ receives a qui tam complaint, however, it is mandated by law to investigate, and the bill would seem to require that the government undertake a full investigation based on its own records alone, and on all of the involved claims, before seeking any information from a provider.  The bill would also apply to federal investigations that do not arise from qui tam complaints.  Legislators are unlikely to so severely restrict the ability of federal agencies to investigate health care fraud in light of the massive resources being poured into enforcement.  Similarly, passage of the provision to raise the FCA standard of proof from “preponderance of the evidence” to “clear and convincing evidence” is a long-shot.

Sections Likely to Gain Support

Nevertheless, some parts of the bill could garner support because they go directly to the concept of “fairness” in the bill’s title, and the widespread concern that billing errors or confusion about compliance are routinely characterized by investigators and qui tam relators as fraud.  The bill provides that an FCA case could not be brought based on a claim submitted in good faith reliance on: (1) erroneous information supplied by an agency; (2) written statements of Federal policy provided by an agency; or (3) an audit or review by the agency of the person submitting the claim where there was no finding that the claim was a violation.  The bill would also bar FCA cases where a claim was submitted in substantial compliance with a model compliance program issued by HHS.  Some form of these provisions would add a measure of fairness for providers who are attempting to comply in good faith but do not succeed in meeting all the requirements of extremely complex regulations, guidelines and billing instructions.  Another bill provision would limit FCA claims to those involving an amount of damages that is material to the government.

Providing a safe harbor for providers attempting good faith compliance would be a very appealing change to the FCA.  While the DOJ certification provision has a limited chance of success, a restriction on excessive or disproportionate use of subpoenas and civil investigative demands may have broader support.  In any event, this bill highlights the problems providers face when billing errors or confusion are treated as fraud, and they are subjected to the staggering costs of responding to a federal investigation and the crippling risks of fighting the treble damages and penalties of an FCA case.

Farrell Fritz health care attorneys know the False Claims Act, and can help health care providers deal with government investigations, audits, and compliance issues.

Is your office photocopy machine a HIPAA time-bomb?  Affinity Health Plan recently learned that the answer is yes, to the tune of a $1.2 million settlement with the US Department of Health and Human Services Office for Civil Rights (OCR).  Affinity is a not-for-profit managed care organization which includes one of the New York metropolitan area’s largest Medicaid managed care programs.  In 2010, Affinity made a mandatory breach report to OCR when it learned that the protected health information (PHI) of over 300,000 individuals was found on the hard drives of multiple photocopiers that Affinity had leased.  Affinity failed to have the hard drives wiped or destroyed prior to the return of the copiers at the end of the leases.

As HIPAA Covered Entities, healthcare organizations from hospitals and inpatient facilities to physician practices and health plans should take note of this matter.   For Covered Entities, this may mean new policies covering copiers and other hard drives containing PHI, revised risk analyses and safeguards, and revised Business Associate Agreements (BAAs).

Additionally, Business Associates of healthcare organizations, including consultants, lawyers, accountants, and billing companies, who may possess protected health information should also pay close attention.  Under the Omnibus Rule, finalized earlier this year and taking effect on September 23, 2013, business associates will be directly responsible for compliance with the privacy and security provisions HIPAA, HITECH and the Ominbus Rule. This means developing their own policies and procedures, conducting internal risk assessments and audits, and implementing physical and electronic safeguards to protect PHI.  Business Associates should carefully read new or revised BAAs they receive from Covered Entities to better understand their obligations.

The health care attorneys at Farrell Fritz understand HIPAA, can help your organization move toward compliance with new and old requirements, and minimize your risk of substantial fines.


Senator Kemp Hannon, Chair of the New York State Senate Committee on Health (and counsel at Farrell Fritz), will be hosting a health care forum featuring a presentation by State Medicaid Director Jason Helgerson.  The event will take place on Monday, August 5 from 10:00 am to noon at the Hofstra University Student Center Theatre.

Helgerson, also Executive Director of the Medicaid Redesign Team (MRT), will speak on the topic “An Update on Medicaid Redesign and the Medicaid Budget in New York.”  He will give an overview of the State’s $53 Billion a year Medicaid program, the deep changes effected in the program by the MRT, and the progress of the changes.

Seating is extremely limited.  Parties interested in attending should call Senator Hannon’s office at (516) 739-1700, or email hannon@nysenate.gov with their name, title, address, organization and telephone number.


The Office for Civil Rights of the US Department of Health and Human Services, in conjunction with the Workgroup for Electronic Data Interchange (“WEDI”), has announced a series of four free webinars on compliance with the latest Omnibus HIPAA/HITECH final rule, which implements significant changes in the requirements imposed upon health care organizations, providers, and their business associates.  Final compliance with the new rule is required by September 23, 2013.

Aimed at smaller clinical practices, the webinars will  address topics  including the new breach notification requirements, new Business Associate liability, and enforcement.  The first webinar will be held on June 14, 2013.

While we advise clients to review these matters with their legal counsel, it can be quite informative to hear the requirements and compliance expectations directly from the agency responsible for enforcement.  Providers should be prepared to revise their policies and documents, including Business Associate Agreements, well before the September dealine.

Note that the webinars are free, but registration with WEDI is required in order to register.

On January 2, 2013, the US Department of Health and Human Services announced a $50,000 settlement with Hospice of North Idaho for a data breach involving the theft of a lost, unencrypted laptop computer containing the health information of 441 patients.

This settlement is the first for a reported breach affecting fewer than 500 individuals.   HHS Office of Civil Rights Director Leon Rodriguez stated that “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”

A few takeaways from this settlement:

  • All HIPAA covered entities should conduct initial and ongoing risk assessments regarding use of electronic PHI;
  • Providers should develop and adopt policies and procedures regarding the use of mobile devices such as laptops, tablets, and smart phones containing electronic PHI, and appropriate safeguards to implement;
  • Think about who should have access to the devices, how they are protected or encrypted, where they are stored;
  • Providers should carefully investigate all data breaches, no matter how small;
  • After an investigation, review the provisions of the HITECH Act regarding breach notification; must the provider notify HHS immediately, notify the affected individuals, or take other measures?
  • Consult with counsel familiar with HIPAA, HITECH and data breaches to ensure that all Federal and State obligations are being met with an appropriate investigation, response, remedial assessments and policies and procedures.


Just a reminder to New York State Medicaid providers that certifications under the NYS Social Services Law and the Federal Deficit Reduction Act are due no later than December 31.

All New York State Medicaid providers who are required to have a compliance program under Social Services Law Section 363-d must certify that their compliance programs are effective.  The certification must be completed during the month of December each year.  The Social Services Law certification is an online certification that may be accessed through the New York State Office of the Medicaid Inspector General website under the Compliance tab. 

Medicaid providers subject to the Federal Deficit Reduction Act of 2005 (DRA) must also provide a certification that they are meeting the DRA’s requirements.  The certification must be completed each year prior to January 1st.  The DRA certification may also be accessed on OMIG’s website under the Compliance tab.

There can be significant consequences both for failing to certify and for certifying compliance when not in compliance with the regulatory requirements.  Parties who are unsure whether they need to certify their programs, or who may have questions regarding their compliance programs or certifications, are advised to consult with their attorneys to review their options.