Shortly after Memorial Day 2018, the federal government announced its plan to bring back a payment review project that puts significant administrative burdens on home health agencies. Originally called the Pre-Claim Review Demonstration for Home Health Services, the project has been rebranded as the Review Choice Demonstration for Home Health Services. The original project’s rollout in Illinois resulted in extensive issues, reported delays in access to care, and even some home health agencies going out of business.Read More
On November 10, 2016, the Office of Inspector General (“the OIG”) of the U.S. Department of Health and Human Services (“DHHS”) released its 2017 Work Plan. Published annually and updated throughout the year, the Work Plan identifies the OIG’s key areas of focus as it carries out its mission of protecting the integrity of programs within DHHS. The OIG is charged with ensuring the integrity of more than 100 programs administered by DHHS, including those within the Centers for Medicare and Medicaid Services, Center for Disease Control and Prevention, the Food and Drug Administration, and the National Institute of Health. The OIG Work Plan summarizes the OIG’s current activities – comprised of both new and revised activities — along with information regarding previously identified activities that have been completed, postponed, or cancelled.
The Work Plan highlights new and continuing priorities applicable to various provider types, including hospitals, nursing homes, hospices, home health, clinical laboratories, physicians and other health professionals, medical equipment suppliers and manufacturers, pharmaceutical manufacturers and other providers and suppliers.
The 2017 Work Plan is available here.
The following is a sampling of some of the new and ongoing efforts highlighted in the Work Plan:
The Office of Civil Rights (“OCR”) has issued new guidance in connection with an increase of malicious cyberattacks, namely ransomware attacks on healthcare organization’s computer systems. Ransomware is a defined by HHS as a type of malicious software whose defining characteristic is that it attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker until the requested ransom is paid.Read More
The Affordable Care Act (sometimes referred to as Obamacare) included a requirement for providers to report and return all Medicare and Medicaid overpayments within 60 days of identification. Although this requirement has been in effect since 2010, the Centers for Medicare and Medicaid Services (“CMS”) has proposed but failed to promulgate rules serving to further clarify this requirement. On February 12, 2016, CMS published a final rule, which went into effect March 14, 2016. The final rule applies to Part A and Part B of Medicare.
When the North Carolina Division of Medical Assistance (“DMA”) decides to place a Medicaid provider on prepayment review, it can be the equivalent of a death sentence for a small business. The primary problem is that there are few avenues to appeal the decision to be placed on prepayment review, even when there is little or even no justification for DMA’s decision. Prepayment review then becomes a waiting game reducing cash flow and overwhelming providers with a paper chase gotcha game. Although the initial decision to place a provider on prepayment review cannot be challenged, this does not mean that a Medicaid provider has no options to challenge the prepayment review process.
The Federal Lawyer, a national magazine by the Federal Bar Association, just published an article by one of Parker Poe’s health care attorneys. The article looks at the implications of a recent Supreme Court decision and explores how Medicaid providers can still challenge rate cuts.
The article is available here.
Raleigh, NC – On July 16, 2015, Parker Poe hosted a Health Care Symposium co-sponsored by the North Carolina Society of Health Care Attorneys, the Federal Bar Association’s Health Law Section, and the Federal Bar Association’s Eastern North Carolina Chapter.
The Symposium was a review of the United States Supreme Court’s decisions impacting health care in the 2015 term. Panelists reviewed the Court’s opinions and their legal and practical implications. The Symposium was designed for health care providers, lawyers, policy makers, and others interested in health law and policy.
Matt Wolfe, an attorney in Parker Poe’s Raleigh office, moderated the Symposium’s panels. Matt was joined by Kimberly Cogdell Boies of NCCU Law; Catherine Dunham, Elon Law; Mark Hall, Wake Forest Law; Joan Krause, UNC Law; Jane Perkins, National Health Law Project; Barak Richman, Duke Law; Richard Saver, UNC Law; and Don Taylor, Duke Public Policy. Click here for a link to the video of the session.
If you would like further information about topics discussed, please contact Matt Wolfe at 919-835-4647 or firstname.lastname@example.org.
An increasing number of health care providers are outsourcing the hosting and maintenance of software applications, the storage of data, and related support services. Outsourcing can provide cost savings, rapid deployment, system scalability, other efficiencies, and appropriate data security. It also introduces additional issues into the provider’s risk management analysis, largely based on the fact that a third party rather than the provider has possession and control of vital and sensitive assets and information. Before you enter into a contract that includes a cloud computing component, you should consider some of the following:
- No business decision or activity is risk free. Risk management is a balancing process based on the particular facts and circumstances. For example, a provider may be less concerned about its inability to access its web-based job application submission portal than its electronic health record application. Not all risks are the same, and a provider should devote more attention and resources to managing its greatest risks.
- Risk management is a team sport. Effective risk management requires the participation and interaction of representatives of the intended user group, financial analysts, compliance officers, information technology and data security experts, and legal counsel experienced in advising on and negotiating the particular type of contract.
Yesterday, the United States Supreme Court issued an opinion that denies providers the right to challenge low Medicaid reimbursement rates by suing state agencies in federal court.
In Armstrong v. Exceptional Child Center (No. 14-15), several residential care providers in Idaho sued on the grounds that its Medicaid program failed to pay providers increased Medicaid rates that had been approved by the federal government. The providers were initially successful in convincing the district court and Court of Appeals for the Ninth Circuit that the State should be forced to pay the higher rates because federal Medicaid law requires states to pay rates that are sufficient to ensure access to care. The providers contended that they had the right to sue Idaho in federal court under the United States Constitution’s Supremacy Clause—which provides that federal law trumps State law.
The Office of Civil RIghts (“OCR”) recently announced that Phase 2 of the HIPAA audits would be further delayed because the audit portals and project management tools that are needed to initiate the audit process are not ready and available for usage. Phase 2 of the HIPAA audits was initially slated to begin in the fall of 2014 and was subsequently moved to late 2014 or early 2015. Currently, no timeline has been provided as to when the next round of audits will officially begin.
A delay in Phase 2 of the OCR HIPAA Audits does not mean that covered entities and business associates should not continue to make sure they are in compliance with all HIPAA regulations. The potential consequences for failure to comply with HIPAA regulations are significant. While the audit portals are still under development, it is a good time for covered entities to (i) make sure their HIPAA policies and procedures are up to date and meet the latest privacy and security requirements, (ii) create a list of all business associates that provide services to the covered entity, and (iii) conduct an internal risk assessment to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
Among other things, Parker Poe’s healthcare attorneys advise our healthcare clients about (i) compliance with HIPAA’s privacy requirements as they affect healthcare information, including preparing employee and patient notices, plan policies and procedures, plan amendments and authorization and other forms, and (ii) HIPAA compliance requirements for business associates.