Sample HIPAA Business Associate Agreement Provisions Published – On January 25, 2013, HHS published sample business associate agreement provisions on its website to help covered entities and business associates comply with the requirements of the HIPAA Omnibus Final Rule, which was released on January 17, 2013 and published in the Federal Register on January 25, 3013. Part of the Omnibus Final Rule revised the HIPAA compliance obligations for business associates and provided a transition period for updating business associate agreements that (i) were in effect prior to January 25, 2013 and (ii) have not been renewed or updated between March 26, 2013 and September 23, 2013. For these “qualified” pre-existing business associate agreements, the parties have until the earlier of the date the agreement is renewed or modified on or after September 23, 2013, or September 22, 2014 to come into compliance with the new business associate contract requirements. HHS has been clear that the recently published sample provisions are “only sample language[,] and use of these sample provisions is not required for compliance with the HIPAA Rules.” King & Spalding’s Client Alert, OCR Issues Long-Awaited Omnibus HIPAA/HITECH Rules, which discusses the provisions of the Omnibus Final Rule in detail, is available by clicking here. The HIPAA Omnibus Final Rule is available by clicking here.
Reporter, Susan Banks, Washington, D.C., +1 202 626 2953, firstname.lastname@example.org.
OIG Concludes in Nationwide Review of Drug That Herceptin Has Often Been Overbilled – The HHS OIG has conducted a nationwide audit of the use and reimbursement of Herceptin (also known as trastuzumab), a Medicare-covered drug used to treat metastatic breast cancer, and has concluded in three audits released in December 2012 and January 2013 that more than 75% of all audited claims contained errors. In particular, the OIG concluded that most Medicare payments for full vials of Herceptin were incorrect where a patient needed an amount less than the full vial.
Herceptin comes in a multiuse vial that contains more than one dose of medication. For multiuse vials, as a general rule, Medicare only reimburses for the amount administered to a beneficiary and does not pay for any part of the drug that is discarded, because Herceptin from opened multiuse vials can be preserved for up 28 days and used for other patients. (Drugs that have very short shelf lives after being opened can be billed even when the entire contents of a vial are not used.) With respect to Herceptin, the OIG’s position is that any payment for a full multiuse vial that is associated with a single patient is likely to be incorrect.
The OIG found that between 2008 and 2010, 78% of claims were incorrect for providers in Jurisdictions 6 and 8 resulting in overpayments totaling $682,748, 78% of claims were incorrect for providers in Jurisdiction 9 resulting in overpayments totaling $1,315,409, and 85% of claims were incorrect for providers in Jurisdiction 15 resulting in overpayments totaling $1,151,915. Additional reports issued last year on the use of Herceptin in other jurisdictions found similar results. Certain Medicare contractors are implementing changes. For example, First Coast Service Options will audit Herceptin claims for certain doses before it will reimburse the bills.
The OIG’s December 2012 and January 2013 reports relating to Jurisdictions 6, 8, 9, and 15 are available by clicking here, here, and here.
Reporter, Juliet M. McBride, Houston, +1 713 276 7448, email@example.com.
CMS Proposes Rule to Increase Medicaid Cost-Sharing – On January 22, 2013, CMS published a proposed rule in the Federal Register that would allow states to increase cost-sharing for Medicaid beneficiaries. Specifically, for individuals with incomes below 100% of the federal poverty level (FPL), the rule would increase nominal cost-sharing for outpatient services to a flat rate of $4.00. The charge for outpatient services was previously based on a proportion of the cost of the service to the state, and ranged from $1.30 to $3.90. CMS is seeking comment on an appropriate cost-sharing rate for inpatient services for this same group of individuals.
For non-exempt individuals with incomes between 100% and 150% of the FPL receiving non-exempt services, CMS would allow states to impose cost-sharing at a rate of up to 10% of the amount the state pays for the service, with differential cost-sharing levels for different groups of individuals. CMS seeks comment on how the regulations should address the types of targeting that would be allowed.
CMS is also proposing specific regulations regarding cost-sharing for drugs and Emergency Department (ED) services. States would be allowed to use differential cost-sharing for preferred and non-preferred drugs and to apply cost-sharing to individuals at all income levels. States could establish a share of up to $8.00 for non-preferred drugs for individuals with incomes at or below 150% of the FPL or who are otherwise exempt from cost-sharing. For individuals with family income greater than 150% of the FPL, states could impose cost-sharing of up to 20% of the cost to the state for non-preferred drugs. CMS made similar proposals for non-emergency services provided in a hospital ED. For individuals with incomes between 100% and 150% of the FPL, states could establish cost-sharing of up to $8.00 for non-emergency ED services. For individuals above 150% of the FPL, there would be no limit to cost-sharing for non-emergency ED services. CMS seeks comment on methods to differentiate between emergency and non-emergency services.
Comments on the proposed rule are due to CMS by February 13, 2013. Providers should consider the potential impact of these rules on their finances, particularly on their bad debts, considering CMS’s recent reduction to bad debt reimbursement. See 77 Fed. Reg.67450, 67518-19 (Nov. 9, 2012).
The proposed rule is available by clicking here.
Reporter, Paige Fillingame, Houston, +1 713 615 7632, firstname.lastname@example.org.
OIG Recommends that CMS Recoup More Than $100 Million in Overpayments for Incarcerated and Unlawfully Present Beneficiaries – CMS made more than $100 million in improper payments to providers for healthcare services on behalf of incarcerated and unlawfully present individuals between 2009 and 2011, according to a pair of reports issued on January 24, 2013 by the HHS OIG. As a result, OIG is recommending that CMS recoup those overpayments and implement policies and procedures to prevent any such overpayments in the future.
Because “CMS did not have policies and procedures to review incarceration information on a postpayment basis,” OIG concluded, $33,587,634 in improper payments was made to providers for services rendered to 11,619 incarcerated beneficiaries during 2009 through 2011. Medicare generally does not pay for services rendered to incarcerated beneficiaries, including “individuals who are under arrest, incarcerated, imprisoned, escaped from confinement, under supervised release, on medical furlough, required to reside in mental health facilities, required to reside in halfway houses, required to live under home detention, or confined completely or partially in any way under a penal statute or rule.” 42 C.F.R. § 411.4(b). Although in some limited instances federal regulations permit Medicare to pay for services rendered to these individuals, a special “exception code” must be used to bill for the services.
Similarly, OIG concluded that because CMS did not conduct postpayment review of unlawful presence information, improper payments totaling $91,620,548 were made to providers for services rendered to 2,575 unlawfully present individuals during the same time period. Federal law provides that Medicare benefits are not payable to any alien in the United States for any month during which the alien is not lawfully present in the United States as determined by the Attorney General. See 8 U.S.C. § 1611.
As a result of these findings, OIG made several recommendations to CMS, including:
- CMS should ensure that Medicare contractors recoup these improper payments;
- CMS should implement policies and procedures to detect and recoup improper payments made for Medicare services rendered to incarcerated and unlawfully present individuals;
- CMS should identify improper payments made on behalf of incarcerated and unlawfully present beneficiaries outside of the 2009–2011 audit period;
- CMS should work with other entities, including the Social Security Administration, to improve the timeliness with which CMS receives incarceration information; and
- CMS should work with Medicare contractors to ensure that all claims with exception codes are processed consistently and pursuant to Federal requirements.
Although CMS generally concurred with OIG’s recommendations and stated that in April 2013 it plans to implement a process for detecting and recouping improper payments for previously paid Medicare claims, CMS also noted that it must take into account the “cost benefit of recoupment activities” with respect to the specific improper payments identified in the OIG reports.
OIG’s reports are available by clicking here and here.
Reporter, Ramsey Prather, Atlanta, +1 404 572 4624, email@example.com.
Cord Blood Bank Settles FTC Charges that it Failed to Protect Consumers’ Sensitive Personal Information – On January 28, 2013, CBR Systems, Inc. (CBR) agreed to settle FTC charges that it failed to protect its customers’ personal information, including nearly 300,000 customers’ Social Security numbers and credit and debit card numbers.
CBR collects and stores umbilical cord blood and umbilical cord tissue for potential medical use. The company also collects and stores customers’ personal information, including each customer’s name, address, email address, telephone number, date of birth, Social Security number, driver’s license number, credit card number, debit card number, medical health history profile, blood typing results, and infectious disease marker results. According to the FTC, the misuse of the types of personal information CBR collects—including Social Security numbers, dates of birth, credit card numbers, and health information—can facilitate identity theft, including existing and new account fraud, expose sensitive medical data, and lead to related consumer harms.
Specifically, the FTC alleged that CBR did not use “reasonable and appropriate practices to protect consumers’ personal information from unauthorized access.” For instance, CBR created unnecessary risks to it customers’ personal information by transporting the information on backup tapes, a thumb drive, and other portable data storage devices containing personal information in a way that made the information vulnerable to theft. CBR also failed to take sufficient measures to prevent, detect, and investigate unauthorized access to its computer networks.
To address the FTC’s concerns, CBR agreed to a settlement. Specifically, the FTC’s Consent Order, which is available by clicking here, provides that CBR must “establish and maintain a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.” The security program must contain administrative, technical, and physical safeguards appropriate to CBR’s size and complexity, the nature and scope of its activities, and the sensitivity of the information collected from or about consumers. The Consent Order also requires CBR to engage a “qualified, objective, independent third-party professional” to provide reports on CBR’s progress in implementing the provisions in the Consent Order.
Reporter, John Carroll, Washington, D.C., +1 202 626 2993, firstname.lastname@example.org.
Attestation Deadline is February 28, 2013 for Medicare Eligible Professionals Who Participated in the 2012 EHR Incentive Program – Eligible professionals (EPs) who participated in the 2012 EHR Incentive Program must attest by February 28, 2013, to receive their Medicare incentive payments. EPs may access the CMS website to register or attest for the Medicare and/or Medicaid EHR Incentive Programs by clicking here. Also available on the website are links to helpful attestation worksheets to make attestation easier and a meaningful use attestation calculator to assist EPs with ensuring that they have met all of the meaningful use requirements. For Medicaid EPs, the CMS website also provides a link to information about each state’s Medicaid EHR Incentive Program, such as when registration will be available and when attestations will be accepted.
Reporter, Kate Stern, Atlanta, +1 404 572 5661, email@example.com.
King & Spalding LLP to Host Roundtable on February 15, 2013 – King & Spalding LLP will host a Roundtable entitled Are You Covered? Insurance for Healthcare Regulatory Investigations on February 15, 2013, at 1:00 - 2:30 P.M. Eastern Time in the Atlanta office. Prompted by the increased pace and complexity of government investigations, qui tam suits, and evolving delivery models, the Roundtable will focus on planning for and pursuing insurance coverage for defense costs and liability arising from such investigations, litigation, or regulatory enforcement actions. The Roundtable will also be offered as a webinar. For more information and to register for the event, click here.
This bulletin provides a general summary of recent legal developments. It is not intended to be and should not be relied upon as legal advice.
>> Back to Top