The Department of Health and Human Services Office for Civil Rights (OCR) recently released the protocol it developed as a guideline for conducting the HIPAA privacy, security and breach notification audits mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act enacted in 2009. The OCR launched the audit program in 2011 and developed the protocol based on the first 20 audits completed under the program. Three of the initial audits were performed on group health plans, highlighting that employer-sponsored group health plans are subject to the Health Insurance Portability and Accountability Act (HIPAA) as covered entities and are subject to audit under the protocol. The audit program represents a significant shift in HIPAA enforcement from the largely reactive, complaint-based enforcement of the past to proactive compliance monitoring.

The pilot phase of the audit program began in November 2011 and is expected to include audits of 115 covered entities by December 2012. HITECH extended HIPAA compliance requirements to business associates and, therefore, business associates are expected to be included in the audit program following publication of the final HITECH regulations. The OCR indicated that funds have already been appropriated to carry out the audit program in 2013 and 2014.

In a 2-1 decision in Sodexo America LLC, the National Labor Relations Board (NLRB) held recently that the University of Southern California hospital violated Section 8(a)(1) of the National Labor Relations Act by maintaining and enforcing a rule that limited off-duty employee access to the workplace, except for specific purposes.

The policy at issue provided that:

  1. Off-duty employees are not allowed to enter or re-enter the interior of the hospital or any other work area outside the hospital except to visit a patient, receive medical treatment or to conduct hospital-related business.
  2. An off-duty employee is defined as an employee who has completed his/her assigned shift.
  3. Hospital-related business is defined as the pursuit of the employee’s normal duties or duties as specifically directed by management.
  4. Any employee who violates this policy will be subject to disciplinary action.

HHS and DOJ today announced that Federal law enforcement is teaming up with private insurance organizations in the fight against health care fraud.  While the details of how this partnership will work are unclear, the press releases issued by both DOJ and HHS indicate that the private and public sectors will share information with each other

On June 25, 2012, the U.S. Supreme Court granted the Federal Trade Commission’s request for certiorari review in FTC v. Phoebe Putney Health System, Inc., a hospital merger case on appeal from the U.S. Eleventh Circuit Court of Appeals and the U.S. District Court for the Middle District of Georgia.

At issue in the case is the FTC’s challenge to a hospital merger that would give the acquiring health system 100% market share in its county and more than 90% market share of the multi-county region in rural southern Georgia.  Applying the state action doctrine, both the trial court and the Eleventh Circuit held that the merger of two private hospitals, Phoebe Putney Memorial Hospital and Palmyra Park Hospital, was immune from antitrust laws even though all parties agreed that the merger created a monopoly.  State action immunity applies when a policy that displaces competition is “clearly articulated” and “actively supervised” by the state.  The doctrine can extend to private actors when they act pursuant to a clearly articulated state policy to displace competition, and they are actively supervised by the state.  Clear articulation is found when a restraint of trade is a “foreseeable” consequence of the action taken by the state.   

In the wake of the U.S. Supreme Court’s June 28, 2012, decision upholding the constitutionality of the 2010 Patient Protection and Affordable Care Act, employers who had been awaiting the decision should now focus on compliance. We expect additional guidance will be released to implement several pending provisions, including those related to the 2014 employer

On June 18, 2012, the Office of Inspector General for the Department of Health and Human Services (OIG) published a notice in the Federal Register seeking comments and recommendations on how best to revise its self-disclosure protocol to make it more useful in today’s health care regulatory environment. This should come as welcome news to the healthcare provider community because OIG’s protocol was first established in 1998, when the healthcare fraud enforcement landscape was much different. Specifically, the government’s investigation and pursuit of health care fraud has substantially increased over the last 14 years. 1998’s total recoveries from health care fraud of under $500 million compared to last year’s total recoveries of $4.1 billion are good evidence of that change.

The Federal Register notice mentions that since 1998, OIG has resolved over 800 disclosures and recovered over $280 million to the Federal health care programs. These high numbers are likely due in large part to the benefits health care providers and practitioners derive from self-disclosing, namely a lower multiplier on damages (approximately 1.5) and no requirement for a Corporate Integrity Agreement (CIA) in exchange for OIG’s highly sought after exclusion release. For cases settled after an affirmative investigation by the government – rather than a voluntary disclosure – healthcare providers should expect OIG, usually in conjunction with the Department of Justice (DOJ), to demand at least a 2.0 multiplier on the single damages (overpayment) amount. As an example, if the government determines that you received $500,000 in reimbursement that you were not entitled to, OIG would likely settle the self-disclosed matter for a 1.5 multiplier, or $750,000.  However, if the settlement is pursuant to an affirmative investigation and not a voluntary disclosure, OIG and DOJ would likely demand at least “double damages,” or $1 million.

As many may already know, CMS is transiting most Texas providers from Trailblazer to Novitas Solutions, Inc. (Novitas) as part of the MAC JH transition.  With this transition, Novitas requires new Electronic Funds Transfer (EFT) form (CMS-588) be completed and submitted for ALL practices and providers.  A notice should arrive to the providers during the

On July 10, 2012, two members of the Husch Blackwell Healthcare Group, Kate Mihalevich and Cori Turner, presented a webinar on ACO strategic physician alignment billing compliance.  The webinar:

  • highlighted compliance risks associated with ACOs and other physician alignment models; and
  • provided practical suggestions for evaluating and addressing risk in these areas.

To watch