Healthcare Highlights: Cyber-Security, Licensing Board Issues, and Employer COVID-19 Regulations
December 3, 2021
Learn More
The health care landscape is ever-changing, shaped by the current pandemic and ongoing changes to the laws and regulations. We recently held a Health Care Breakfast and Learn to give insight into current trends and legal and regulatory issues on both state and federal levels affecting the health care industry.
Certificate of Need Law Update
The discussion kicked off with an in-depth analysis of changes to the North Carolina Certificate of Need (CON) law, which prohibits health care providers from adding, acquiring, or replacing certain health care facilities and equipment, and from providing certain medical services without prior authorization by the state Department of Health and Human Services.
When Governor Roy Cooper signed Senate Bill 462 into law, it updated North Carolina's CON law. These changes, which went into effect on October 1, 2021, include the following:
- Increased cost thresholds for which a CON is required:
- Diagnostic centers - threshold increased from $500,000 to $1.5 million
- New institutional health services - threshold increased from $2 million to $4 million
- Major medical equipment - threshold increased from $750,000 to $2 million
- Inflation cost increases:
- Thresholds adjusted on an annual basis according to the consumer price index, starting on September 30, 2022
These are important because there has been no change to these thresholds in decades, and projects falling under the cost thresholds would not require a CON.
Stark Law Revisions
In December of 2020, the Centers for Medicare and Medicaid Services (CMS) issued a number of revisions and clarifications to the Stark regulations, which govern physician referrals for certain designated health services (DHS), such as labs, imaging, physical therapy, and durable medical equipment.
These changes, which will become effective on January 1, 2022, include revisions to three existing Stark exceptions:
- In-office ancillary services exception
- Office leases exception
- Equipment leases exception
In regards to the in-office ancillary services exception, a medical group must meet certain regulatory requirements to satisfy the exception. These requirements include restrictions on the allocation of profits from DHS.
The restrictions do not permit group practices to distribute the DHS profits in ways that are directly tied to who ordered the DHS. "To give an example, a group practice cannot allocate profits from its imaging services, let's say, to the physician who ordered the imaging," I noted. "Often, groups split the DHS profits on a per capita basis, and that's permissible."
It is also permissible to allocate DHS profits based on professional productivity, as long as DHS encounters and the revenues from the provision of DHS are excluded. "These indirect methods of allocating DHS profits have always been permitted and will continue to be permitted."
Nonetheless, the Stark regulations were not clear in several respects, and the new regulations were put forth as an attempt to shed light on a number of questions. With regard to the in-office ancillary services exception, CMS clarified that group practices must allocate profits, not revenues. That is, the expenses relative to the generation of DHS revenues must be taken into account.
Because the Stark regulations did not forbid the segregation of the various DHS service lines, some group practices elected to distribute the profits from one DHS service line using one methodology (and perhaps to a subset of physicians in the practice that were responsible for ordering those DHS) and to distribute profits from another DHS service line using a different methodology (and perhaps to a different subset of physicians in the practice that were responsible for ordering those DHS). This will not be permissible after January 1, 2022.
"Moving forward, the same method has to be used for all profits of all DHS service lines." All of the profits from all DHS service lines must be aggregated, and one methodology for distributing the aggregate profits must be used for the group practice (or for any component of the group of at least five physicians).
The regulations also clarify that the allocation of DHS profits may not be based on the physicians' ordering of DHS that are provided to non-Medicare patients: For example, "if there are three physicians in a group practice, and one physician orders 50 percent of the imaging services provided to non-Medicare patients of the practice, and two other physicians each order 25 percent of the imaging services for the non-Medicare patients, it would not be permissible to use the same percentages to allocate imaging services provided to Medicare patients."
The regulations also made changes to the Stark exceptions for the rental of office space and medical equipment. In the past, leases had to be exclusive, meaning it was not permissible for multiple lessees to share the same space or equipment at the same time. Beginning January 1, 2022, it will be acceptable for various lessees (and sublessees) to use the same space or equipment at the same time.
Anti-Kickback Update
The safe harbor for personal services and management contracts under the federal anti-kickback statute was altered in several ways in December of 2020. That reform, which went into effect on January 19, 2021, was issued by the Office of Inspector General (the OIG) for the Department of Health and Human Services. The OIG now only requires the compensation methodology to be set in advance instead of having the aggregate amount of the compensation be pre-determined.
"This new rule better aligns the safe harbor with the equivalent Stark exception and will make it easier going forward to draft personal services agreements."
Another change that I expect will ease some of the headaches medical providers experience is that the OIG eliminated the requirement that part-time or periodic contracts specify the schedule, length, and specific charges for the intervals of services provided. "This allows for greater flexibility in the use of part-time or periodic services on an as-needed basis,"
Patient Records and HIPAA Compliance
My colleague Leigh Wilkinson, a health care attorney with over 35 years of experience in a variety of health care law matters, led off with an insight into how medical providers can escape the attention of the Office for Civil Rights (OCR), which is the government agency that enforces the HIPAA privacy law.
"I don't think it would be a healthcare webinar without mentioning HIPAA," said Wilkinson, noting that the OCR had announced in late 2019 that it would be undertaking an initiative to investigate and settle cases impacting patients who had requested their records and were denied access for any reason.
Under HIPAA privacy regulations, an individual or their personal representative has the right to request access to or receive a copy of their protected health information. And medical providers that are covered under these rules ("covered entities") must act on that request within 30 days of receiving it.
"Now, you would think that sounds pretty simple, but apparently not, because there have been over 20 published settlements so far," explained Wilkinson. The amount of fines and penalties has ranged from $5,000 to over $200,000, and it has been applied to everyone from solo physicians and small group practices to large hospital systems.
In addition to the monetary penalties, those who are found in non-compliance may also be required to enter into a corrective action plan, in which the OCR would monitor their actions for a period of up to two years. "To keep the OCR at bay, covered entities under HIPAA must permit individuals or their personal representatives to inspect and obtain a copy of their protected health information upon request," advised Wilkinson. "You have 30 days when someone makes that request to take action, and within those 30 days, you must respond by (i) granting the request, (ii) denying the request when permitted by the HIPAA regulations, or (iii) notifying the individual that you need more time (up to 30 more days) to grant the request."
There are very limited circumstances in which a request can be denied, and certain grounds for denial are appealable by the individual. While there are a variety of obstacles that could prevent a medical provider from providing a patient with their records within the initial 30-day timeframe, it is permissible to notify the requestor that you need more time, but no more than 30 additional days, and you should document the reason you needed that extra time. A major red flag to the OCR is when patients ask for their records and receive no response at all within the 30-day time frame.
If contacted by the OCR about a complaint, covered entities under HIPAA should provide a quick response and rectify the situation immediately. Being responsive is the key, says Wilkinson: "Over half of the covered entities that had penalties imposed against them had been contacted by the OCR more than once about the same complaint."
Wilkinson added that patients should receive a copy of their records in the format they requested, and providers are not allowed to charge more than the actual costs incurred in providing the copies.
Fraud and Abuse
In September of 2020, the US Department of Justice announced it would be pursuing its largest health care fraud enforcement action in history. As a result, 345 individuals have been charged with submitting more than $6 billion in false claims that the government paid.
"There are criminals out there trying to take advantage of the healthcare payment system, but they're going to be looking for help from medical providers to make their plans work," commented Wilkinson. The takedown focused on healthcare professionals who had issued fraudulent orders for medical equipment and diagnostic testing.
Identity theft continues to be an issue as well. Wilkinson shed light on a compelling case in which a criminal gang infiltrated a Covid-19 testing site to steal personal and biological information, then used it to create and submit new reimbursement claims for more expensive services.
"The takeaway is that the opportunity for fraudulent activity is everywhere," notes Wilkinson, "so make sure that your employees who are going to be working with billing and patient information are fully vetted before hiring them and then on a regular basis during employment."
--
© 2024 Ward and Smith, P.A. For further information regarding the issues described above, please contact .
This article is not intended to give, and should not be relied upon for, legal advice in any particular circumstance or fact situation. No action should be taken in reliance upon the information contained in this article without obtaining the advice of an attorney.
We are your established legal network with offices in Asheville, Greenville, New Bern, Raleigh, and Wilmington, NC.
