backTeaching Hospitals Have Until November 18, 2022 to Request Review of Eligibility to Reset Resident Caps or Per-Resident Amounts Established in Cost Reports That Cannot Be Reopened – On November 3, 2022, CMS posted a notice on its website announcing the Phase 2 deadline for teaching hospitals to request review of the cost report data that the agency is using to determine whether hospitals are eligible under Section 131 of the Consolidated Appropriations Act of 2021 (CAA) to reset their full-time equivalent (FTE) resident caps and per-resident amounts (PRA). Phase 2 applies to hospitals seeking review of their FTE caps and/or PRAs in cost reporting periods that were settled more than three years ago, i.e., beyond the three-year reopening window. The submission deadline for Phase 2 is November 18, 2022.
Section 131 of the CAA allows qualifying hospitals to establish new FTE caps and/or PRAs. CMS has interpreted the statute as identifying two categories of hospitals that qualify for relief under Section 131. The first category is Category A hospitals, which are teaching hospitals that have an FTE cap and/or PRA that was based on training less than 1.0 FTE in a cost reporting period prior to October 1, 1997. The second category is Category B hospitals, which are teaching hospitals that have an FTE cap or PRA based on the training of 3.0 or fewer FTEs in a cost reporting period beginning on or after October 1, 1997, and before the enactment of the CAA (December 27, 2020).
In December 2021, CMS issued a final rule implementing Section 131 of the CAA. In the rule, CMS said that it would use cost report data from the Hospital Cost Report Information System (HCRIS) to identify hospitals that are eligible for relief under Section 131. If the HCRIS data shows that a hospital established an FTE cap and/or PRA based on the training of less than 1.0 FTE in a cost reporting period prior to October 1, 1997, the hospital qualifies for relief as a Category A hospital. If the data shows that a hospital established an FTE cap/PRA based on the training of 3.0 or fewer FTEs in a cost reporting period beginning on or after October 1, 1997, and before December 27, 2020, the hospital qualifies as a Category B hospital. CMS posted the HCRIS data on its website here to allow hospitals to determine whether they are eligible for a reset.
CMS recognized that some hospitals might disagree with the FTE caps and PRAs reflected in their cost reports. Accordingly, the agency afforded hospitals the opportunity to submit data to refute the FTE counts reflected in the HCRIS data. If a hospital can show that its actual FTE count was lower than 1.0 (for Category A) or 3.0 or less (for Category B), the hospital will qualify for a reset under Section 131.
The agency decided to split the HCRIS data reviews into two phases. Phase 1 applied to hospitals challenging the HCRIS data from cost reports that are either open or reopenable (i.e., settled less than three years ago). In the December 2021 rule, CMS announced that the deadline for hospitals to apply for Phase 1 review was July 1, 2022. The agency said it was seeking comment on how to handle reviews of the HCRIS data from cost reports that are no longer reopenable (Phase 2). Despite soliciting comments on how to implement Phase 2 reviews, the agency never issued a follow up rulemaking to the December 2021 rule.
On November 3, 2022, CMS announced that the deadline to submit Phase 2 reviews is November 18, 2022. Hospitals are instructed to submit “complete documentation in support of the hospital’s assertion that the FTE amounts and/or PRAs reported in the HCRIS posting are incorrect.” A copy of the notice is available here.
Reporter, Alek Pivec, Washington D.C., +1 202 626 2914, apivec@kslaw.com.
Georgia Home Health and Hospice Provider to Pay $425,000 to Resolve Allegations of Inadequate Computer Security in Connection with Data Breach – Aveanna Healthcare, LLC, a Georgia-based home health and hospice care company, entered a consent judgment with the Massachusetts Attorney General’s Office (the AG's Office) on November 3, 2022, agreeing to pay $425,000 to resolve allegations that its security measures were inadequate to protect personal information of its patients and employees.
Aveanna provides pediatric and adult home health care in thirty-three states and has seven offices in Massachusetts. The AG’s Office alleged that hackers began targeting Aveanna with phishing emails in July 2019. By August 2019, over 600 emails had been sent, including one that appeared as though it came from Aveanna’s president. The emails sought user credentials, money, and sensitive information. Employees’ responses to those emails resulted in hackers accessing some portions of Aveanna’s computer network. The hackers may have accessed social security numbers, driver’s license numbers, financial account numbers, and sensitive health information like diagnoses, medications, and treatment records for some 4,000 Massachusetts residents, including Aveanna’s patients and employees. The hackers also attempted to change employees’ direct deposit information in Aveanna’s human resources system.
According to the allegations, Aveanna was aware of weaknesses in its cybersecurity measures but failed to improve them before the phishing attacks occurred. The alleged failures included not providing adequate employee training against phishing attacks and not requiring multi-factor authentication. Additionally, the AG’s Office alleged that Aveanna’s security program did not meet standards for safeguarding personal information under the Massachusetts Data Security Regulations or federal HIPAA regulations.
In addition to the financial settlement, Aveanna agreed to develop and implement a security program with multi-factor authentication, anti-phishing technology, and other measures to protect against breaches. The consent judgment requires Aveanna to annually assess its compliance with the settlement and the Massachusetts Data Security Regulations for four years. It also requires Aveanna to train its employees on data security and update them on security threats. Aveanna provided victims of the breach with two years of free credit monitoring as a result of the incident.
A copy of the consent judgment is available here and the complaint is available here.
Reporter, Doug Comin, Atlanta, +1 404 572 3525, dcomin@kslaw.com.