Welcome to this week's edition of the Health Law Update. Topics covered today include:

• Healthcare Provisions in the American Taxpayer Relief Act - the Good, the Bad and the Ugly
• American Taxpayer Relief Act Amends Overpayment Recovery Time Limits
• OIG Advisory Opinion Sheds Light on Pay-for-Performance Relationships Between Hospitals and Physicians
• OCR's Breach Settlement: The First Ever Involving Less Than 500 Patients
• Reminder: Annual OCR Breach Reporting Due March 1, 2013
• CMS Provides Guidance for Amending Patient Medical Records
• Healthcare Fraud and Abuse Webinar
• Events Calendar

We hope you find this information helpful. Please contact any member of BakerHostetler's Healthcare Team with questions.

HEALTHCARE PROVISIONS IN THE AMERICAN TAXPAYER RELIEF ACT - THE GOOD, THE BAD AND THE UGLY

In late night action on December 31, 2012, the American Taxpayer Relief Act of 2012 (ATRA) was passed by the Senate and finalized days later by Congress and the President with a set of tax and spending policy provisions intended to provide relief to the American taxpayer -- avoiding the "fiscal cliff" set up by the Budget Control Act of 2011. Upon closer inspection, however, the ATRA also has some important implications for the healthcare industry and sets the stage for future healthcare spending reductions and appropriations discussions in 2013. The following offers a brief overview of the ATRA's good, bad and ugly provisions for the healthcare industry.

The Good

One of the largest issues looming over Congress relating to Medicare involved the fate of the sustainable growth rate (SGR) impending statutory cuts of nearly 27 percent, which would have further exacerbated the physician shortage currently experienced in the Medicare program and was widely criticized. The ATRA addressed this issue, but once again, only did so for a short time. At a cost of $25 billion, the ATRA froze existing Medicare physician rates at their current level through 2013. This means that the SGR fight to obtain permanent relief will continue during 2013.

The impending Budget Control Act sequester which would have included a mandatory two percent Medicare provider rate cut, reductions in important discretionary spending programs such as the National Institutes of Health (NIH) and graduate medical education programs is delayed for two months.

Other Medicare reimbursement and healthcare programs set to expire on December 31, 2012, were extended, including the Medicare physician work geographic adjustment and certain Medicare programs necessary to sustain ambulance service and Medicare dependent individuals in rural areas. Medicare payment changes for outpatient therapy services at hospitals were also addressed.

Funding for low-income outreach and assistance programs and the Medicaid qualified individual and transitional assistance programs were extended. Similarly, the ATRA reauthorized the Medicaid and Children's Health Insurance Program express lane option program through September 30, 2014.

The Bad

Generally, the major issues that hung in the balance with regard to healthcare spending during last year's fiscal cliff negotiations remain unresolved, and the ATRA added upwards of $4 trillion to the deficit over the next ten years. As Congress continues to grapple with the nation's fiscal woes in the coming months, spending reductions in healthcare remain in the crosshairs.

Medicaid disproportionate share hospital (DSH) payments will be rebased to extend the anticipated Affordable Care Act (ACA) reductions from 2021 to 2022. The rebasing of DSH payments is expected to provide up to $4.2 billion in savings over ten years.

Bundled payments for end stage renal disease will be rebased. Incorporating recommendations from a General Accounting Office report relating to reductions in oral drugs and biologics, the payment reduction for renal dialysis services is anticipated to achieve $4.9 billion in savings.

The ATRA rescinds unobligated funds for the ACA's Consumer Operated and Oriented Plan (CO-OP) program to the tune of approximately $2.3 billion.

Also as discussed in detail in the article that follows, the ATRA significantly alters provider rights related to overpayment recoupment, refunds, audits and claims appeals.

The Ugly

Overall healthcare industry spending continues under the microscope and, as Congress prepares over the next several months to make significant headway on cost reductions, entitlement reform will rank high on the nation's agenda. Consequently, Medicare, Medicaid, discretionary programs, research and graduate medical education all will be targets for spending reductions. Creative solutions to save money and continue coverage for individuals will be sorely needed. Providers will want to be at the table to ensure that provider reimbursement, the first at the chopping block, will not be the sole mechanism that Congress employs to reduce healthcare spending in the budget battles ahead.

BakerHostetler remains committed to working with providers to ensure that their strategic initiatives are conveyed on Capitol Hill and that their issues are heard. For more information regarding our healthcare policy practice or relating to the ATRA and its impact, please contact Susan Feigin Harris, sharris@bakerlaw.com or 713.646.1307, or Kathleen P. Rubinstein, MPA, Policy Analyst, krubinstein@bakerlaw.com or 713.276.1650.

AMERICAN TAXPAYER RELIEF ACT AMENDS OVERPAYMENT RECOVERY TIME LIMITS

The ATRA significantly alters provider rights related to overpayment recoupment, refunds, audits and claims appeals. A provision entitled "Removing obstacles to collection of overpayments" increases the statute of limitations related to without fault provisions from three to five years, based on recommendations from the Office of Inspector General (OIG) at the U.S. Department of Health and Human Services (HHS). In labeling the without fault provision -- a critical protection for providers arguing against unfair collection of potential overpayments -- as an "obstacle," HHS simultaneously weakened a provider defense and exposed providers to a greater period of vulnerability.

The without fault provisions state that a provider will not be liable for an overpayment if the provider acted without fault. Generally, a provider is without fault if it exercised reasonable care in billing for, and accepting, the payment. Moreover, the statute provided that the adjustment or recovery of an incorrect payment is deemed to be against equity and good conscience if the determination that such payment was incorrect is made more than three years after the payment was made. Thus, many possible overpayments may involve circumstances under which a provider did not know, and could not reasonably be expected to know, that it improperly billed for the subject of the overpayment. Previously, absent evidence to the contrary, providers may have had a "without fault" defense against refunding certain overpayments when those amounts were identified after the third year in which the payment was made. Now that period has been extended to the fifth year. The limitation of liability provisions are an integral part of the Medicare claims appeal process relating to overpayments. There are numerous decisions where a provider was not held liable for an overpayment based on these provisions because the claim at issue was beyond the three-year window. That window now has been extended, leaving providers vulnerable for a greater period of time and increasing amounts that may be collectable.

Without fault provisions were important issues raised in the Recovery Audit Contractor (RAC) Program demonstration project. RAC reviews are statutorily limited to a four-year lookback period, but currently function under a three-year lookback period. Some believe the three-year limit is based on the without fault provision; thus the extension of the without fault provision may allow for an increase in the RAC lookback period.

This amendment is the latest in a series of actions attempting to extend HHS's reach into previous payments made to providers. In February of 2012, CMS proposed to amend the claims reopening rules to allow the agency to reopen claims for a period of ten years. We disagreed with the ten-year lookback period, arguing in part, that a ten-year period was inconsistent with statutory provisions related to the three-year "without fault" provision limitation. The without fault amendment may be an ominous indication that HHS is making preparations to increase the lookback period under the proposed rule.

For more information, please contact B. Scott McBride, smcbride@bakerlaw.com or 713.646.1390, or Ameena N. Ashfaq, aashfaq@bakerlaw.com or 713.646.1329.

OIG ADVISORY OPINION SHEDS LIGHT ON PAY-FOR-PERFORMANCE RELATIONSHIPS BETWEEN HOSPITALS AND PHYSICIANS

On January 7, 2013, the HHS OIG released Advisory Opinion 12-22 concerning a rural hospital's (Hospital) proposal to pay a cardiology group (Group) a performance bonus for achieving certain patient service, quality and cost savings measures for procedures performed at the Hospital's cardiac catheterization laboratories (Lab). The opinion analyzed the arrangement under the civil monetary penalty provision (CMP) relating to reductions or limitations of services provided to Medicare and Medicaid beneficiaries and the federal anti-kickback statute. The CMP, which has heretofore been neglected by providers and regulators alike, provides for a penalty against any hospital that knowingly makes a payment directly or indirectly to a physician as an inducement to reduce or limit services provided to Medicare or Medicaid beneficiaries under the physician's direct care. The physician to whom the improper payment is paid also may be subject to the penalty. An important distinction is that the CMP does not require that the payment reduce or limit medically necessary care; rather, the law is violated if the payment induces the reduction or limitation of any services.

The Hospital proposed to enter into a three-year co-management agreement with the Group to provide management services to the Hospital, including oversight of Lab operations, strategic planning and medical direction services, development of the Hospital's cardiology program, participation on medical staff committees, staff development and training, recommending Lab equipment, medical devices and supplies and providing assistance with financial and payor issues, among other duties. In exchange for these services, the Hospital would pay the Group a fixed fee and the Group would be eligible for a performance fee not to exceed the fixed fee based on four components: employee satisfaction, patient satisfaction with the Labs, improved quality of care in the Labs and implementation of cost savings measures in the Labs. The Group would distribute the performance fee to its shareholders on a pro rata basis according to each physician's ownership rather than the physician's participation in the arrangement with Hospital.

At the outset, the OIG identified a laundry list of concerns in such arrangements, including: "(i) stinting on patient care, (ii) "cherry picking" healthy patients and steering sicker (and more costly) patients to hospitals that do not offer such arrangements, (iii) payments to induce patient referrals, and (iv) unfair competition among hospitals offering incentive compensation programs to foster physician loyalty and to attract more referrals." Nevertheless, in the heavily footnoted opinion, the OIG determined that it would not seek sanctions against the Hospital for the proposed arrangement under the CMP or anti-kickback statute. With respect to sanctions under the CMP, the OIG recognized that the cost savings component of the performance fee might induce physicians to alter their current medical practice by reducing or limiting services; however, the OIG was satisfied with the safeguards built in to the proposal. In making this determination, the OIG relied on many of the Hospital's factual certifications, which included that the arrangement would be monitored from a patient care and operational perspective by both internal and external independent entities. The OIG also noted the continued access of physicians to any device and supply they deem is most appropriate for each patient and the performance fee amount being based on the Group's aggregate performance rather than the cost of specific patient cases.

The opinion also approved of the proposal under the federal anti-kickback statute. The OIG's conclusion was based upon the Hospital's certification that a third-party evaluator determined that both the fixed fee and performance fee reflect fair market value for the substantial services provided by the Group under the management agreement. Additionally, because the compensation under the proposal would not vary with the number of patients treated by the Group at the Hospital and the Hospital operates the only cardiac catheterization labs in a fifty-mile radius, the OIG concluded that the compensation would be unlikely to influence the physicians' referral decisions. Finally, the OIG was persuaded that the specificity of the agreement provisions relating to the performance fee components indicates that the purpose of the arrangement is to improve quality rather than reward physician referrals.

The opinion offers a glimpse into the OIG's complex view of the increasingly popular pay-for-performance compensation arrangements and establishes general guidelines for providers to consider when entering into such arrangements. However, the OIG has made it clear with this opinion that pay-for-performance arrangements need to represent real efforts to achieve quality improvement measurements rather than simply influence physician referrals, and include safeguards against patient care rationing, to avoid liability under the CMP and anti-kickback statute. Additionally, such arrangements also are likely to implicate the physician self-referral law (Stark Law). Therefore, providers contemplating such arrangements should undertake a similar analysis with respect to compliance with an available exception to the Stark Law.

If you have any questions or need assistance with evaluating a pay-for-performance arrangement, please contact Donna S. Clark, dclark@bakerlaw.com or 713.646.1302, or Darby C. Allen, dallen@bakerlaw.com or 713.646.1311.

OCR'S BREACH SETTLEMENT: THE FIRST EVER INVOLVING LESS THAN 500 PATIENTS

The HHS Office for Civil Rights (OCR) started 2013 with a bang by announcing that it had reached "the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals" with the Hospice of North Idaho (HONI). Under the resolution agreement, HONI agreed to pay $50,000 and enter into a two-year Corrective Action Plan (Plan) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule stemming from the June 2010 theft of an unencrypted laptop containing the ePHI of 441 HONI patients. As the Health Information Technology for Economic and Clinical Health Act (HITECH) does not require covered entities to immediately report breaches involving fewer than 500 individuals to OCR so long as they are reported annually, HONI properly reported the theft to OCR in its annual breach report. OCR nonetheless launched an investigation that concluded the following:

• HONI did not conduct an appropriate risk assessment regarding the confidentiality of ePHI stored and transmitted using portable electronic devices; and
• HONI did not have in place policies and procedures to address mobile device security as required under the HIPAA Security Rule.

In addition to the $50,000 settlement payment, HONI also agreed to enter into a two-year Plan -- perhaps the most onerous aspect of the resolution agreement. The Plan includes the following obligations:

• HONI must notify OCR in writing within thirty days of discovering that a workforce member may have failed to comply with privacy and security policies and procedures. The notice must include:
  • a complete description of the event, including the relevant facts, the persons involved and the privacy and security policies implicated; and
  • a description of the actions taken and further steps HONI plans to take to address the matter, mitigate harm and prevent it from recurring, including the application of sanctions against workforce members who fail to comply with privacy and security policies and procedures.
• If no reportable events occur within the two-year compliance period, HONI must inform OCR in writing within thirty days of expiration of the Plan; and
• HONI must maintain all documents and records relating to compliance with the Plan for six years from the effective date of the agreement.

Should HONI breach the Plan, it would be subject to civil monetary penalties.

According to the OCR Press Release, HONI has "taken extensive additional steps" since the June 2010 theft to improve its HIPAA privacy and security compliance program. Nonetheless, OCR Director Leon Rodriguez emphasized that the action "sends a strong message to the healthcare industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' information." Mr. Rodriguez also stressed the importance of encryption, calling it "an easy method for making lost information unusable, unreadable, and indecipherable."

The Press Release also announced a new educational initiative intended to offer healthcare providers and organizations practical tips on ways to protect their patients' health information when using mobile devices such as laptops, tablets and smartphones. Of the past five HITECH-related resolution agreements published by OCR, all five have involved unencrypted portable electronic devices. To address this problem, OCR has partnered with the Office of the National Coordinator for Health Information Technology to provide a new website with videos and other information regarding how to secure and maintain mobile devices.

Here are some observations regarding the importance of this settlement:

• Now is the time, no matter the size of your organization.
   
  This settlement is a shot across the bow to all covered entities that have yet to implement a HIPAA compliance plan. Retroactive implementation of policies and procedures, such as the "extensive steps" HONI had taken since the June 2010 theft, is simply not enough to mitigate the impact of a resolution agreement. This settlement also demonstrates that size doesn't matter when it comes to OCR enforcement. Covered entities of all sizes are officially on notice -- if you haven't implemented an effective compliance plan, now is the time.


• Expect an investigation following a breach involving a portable electronic device.
   
  All of the resolution agreements published by OCR in 2012 were the product of investigations stemming from breaches involving portable electronic devices. HONI is no exception, and there is no indication that OCR will deviate from this enforcement pattern any time soon.


• Encrypt if you can. If you can't, document why.
   
  Mr. Rodriguez's comments and the language of the HONI resolution agreement could indicate an even stronger focus on encryption in the coming year. Encryption is an "addressable" implementation specification for several technical safeguards under the HIPAA Security Rule, meaning a covered entity is not required to implement encryption technology if it determines that implementation is not reasonable and appropriate. If a covered entity makes such a determination, it must document why implementation would not be reasonable and appropriate and implement an equivalent alternative measure if that measure is reasonable and appropriate. According to the HONI resolution agreement, HONI did not document its determination that encryption was not reasonable and appropriate. Prior resolution agreements have included similar language. In addition, Mr. Rodriguez's description of encryption as an "easy" method of protecting ePHI may indicate that OCR will be focusing on a covered entity's documentation of valid reasons for choosing not to encrypt portable electronic devices in the coming year.

Should you need assistance with your year-end breach reporting to OCR or if you would like advice on compliance with HIPAA/HITECH, please contact Lynn Sessions, lsessions@bakerlaw.com or 713.646.1352, or Theodore J. Kobus, tkobus@bakerlaw.com or 212.271.1504. *Credit to Cory J. Fox who authored this article.

REMINDER: ANNUAL OCR BREACH REPORTING DUE MARCH 1, 2013

The breach notification interim final rule requires covered entities to submit to the OCR notice of breaches of unsecured protected health information (PHI) (45 C.F.R. 164.408) by March 1, 2013. For breaches affecting fewer than 500 individuals, a covered entity must submit to OCR its annual notification of all breaches occurring in a calendar year within 60 days of the end of the calendar year in which the breaches occurred. This notice must be submitted electronically by completing all information required on the breach notification form, located online. A separate form must be completed for each breach that occurred during the calendar year. Covered entities should analyze each potential breach under HITECH, including documenting incident reports, risk of harm analyses and notification documents, where applicable. BakerHostetler works with clients in determining which incidents to include on the annual report so that the covered entity does not set a precedent that could prejudice it in a future large breach.

If you need assistance with your annual OCR reporting or breach analysis, please contact Lynn Sessions, lsessions@bakerlaw.com or 713.646.1352, or Theodore J. Kobus, tkobus@bakerlaw.com or 212.271.1504.

CMS PROVIDES GUIDANCE FOR AMENDING PATIENT MEDICAL RECORDS

CMS recently released a transmittal providing instructions to contractors on acceptable methods for providers to amend, correct and incorporate delayed entries into a patient medical record. The transmittal amends the Medicare Program Integrity Manual (CMS Pub. 100-08) to delineate recordkeeping principles which providers must follow when making alterations to a patient record subsequent to the time of service, including: (1) clearly and permanently identifying any amendment, correction or delayed entry as such; (2) clearly indicating the date and author of the amendment, correction or delayed entry; and (3) not deleting but instead clearly identifying all original content (Recordkeeping Principles). Recordkeeping Principles are necessary whether the documentation submission originates from a paper record or an electronic health record. If altering a paper record, the author should use a single line strike-through to ensure the original content is still readable and sign and date any revision or additional entry. The transmittal directs contractors to disregard any entries that do not comply with the Recordkeeping Principles, even if such exclusion would lead to a claim denial.

Transmittal 442, Change Request 8105, effective date of January 8, 2013, can be found online.

For more information, please contact Robert M. Wolin, rwolin@bakerlaw.com or 713.646.1327, or Summer D. Swallow, sswallow@bakerlaw.com or 713.646.1306.

HEALTHCARE FRAUD AND ABUSE WEBINAR

BakerHostetler Counsel and former Assistant U.S. Attorney Gregory S. Saikin will be speaking in an upcoming Strafford live webinar, "Healthcare Fraud and Abuse."

Tuesday, January 22, 2013
12:00-1:30 p.m. CST

As you may be aware, 2012 saw many record-breaking healthcare enforcement actions by federal and state authorities. The increased enforcement activity is considered, in part, to be a result of recently implemented anti-fraud regulations and hundreds of millions of dollars in new funding for governmental authorities to pursue healthcare fraud.

Therefore, it has never been more critical for healthcare providers to be aware of their risks and maintain an effective compliance program in an effort to avoid or mitigate administrative payment suspensions, False Claims Act suits and criminal fraud allegations, among other potential enforcement matters.

During the seminar, Greg and other panelists will offer perspectives and guidance on the following and many other important questions:

• What were the most noteworthy fraud and abuse cases in 2012 and what lessons can be learned from those matters?
• What enforcement trends are anticipated in 2013 and beyond?
• What are the key elements of an effective compliance program?
• How can a provider implement an effective program in a cost-efficient manner?

After the presentations, panelists will engage in a live question and answer session with participants, answering questions about these important issues directly.

For more information about the webinar or to register, please visit Strafford Program Registration. Please note that you must use this link in order to receive, as a guest of BakerHostetler, a special 50 percent registration fee discount.

EVENTS CALENDAR

January 24-25

Houston partner Donna S. Clark will speak on "Integrating Community Physicians into the Academic Medical Center" at the Legal Issues Affecting Academic Medical Centers and Other Teaching Institutions conference sponsored by the American Health Lawyers Association in Washington, D.C.

February 12

Houston counsel Gregory S. Saikin will speak on "Identifying Organized Health Care Fraud Rings," at the 15th Annual Fraud Conference sponsored by the Texas Department of Insurance in Austin, Texas.