Author: Scott R. Landau

On July 20, 2022, the Department of Justice (“DOJ”) published a press release discussing a concerted effort to combat specific areas of healthcare fraud, telemedicine, clinical laboratory, and durable medical equipment. The announcement was coupled with criminal charges brought against 36 defendants in 13 federal districts totaling over $1.2 billion in criminal proceeds (over $1 billion of which stem from unlawful telemedicine practices). The Centers for Medicare & Medicaid Services (CMS), Center for Program Integrity’s also brought administrative actions against 52 providers participating in similar allegedly fraudulent schemes, resulting in a departmental seizure of over $8 million in fraud proceeds. The criminal ventures under investigation predominantly include “illegal kickbacks and bribes by laboratory owners and operators in exchange for [patient] referrals,” thereby violating the Anti-Kickback Statute (“AKS”).

In one such case, charges were brought against the manager of “several clinical laboratories” concerning his involvement in a scheme to issue over $16 million in kickback proceeds to marketers who would resultantly pay further kickbacks to “telemedicine companies and call centers in exchange for doctors’ orders.” This scheme revolved around cardiovascular and cancer genetic testing, the results of which were not used in patient treatment, and which led to $174 million in fraudulent claims being submitted to Medicare. Other cases include a domestic and international “telemarketing network” that tricked vulnerable patients (primarily those with elderly and/or disabled identities) into participating in an illegal scheme by opting into cardiovascular and genetic testing.

In response to the recent increase in fraudulent schemes involving telemedicine companies and practitioners, the Office of Inspector General (“OIG”) issued a “Special Fraud Alert” on July 20, 2022, encouraging practitioners to exercise caution when entering into arrangements with telemedicine companies. The Special Fraud Alert identifies several characteristics that are frequently present in fraudulent arrangements. The most obvious red flag highlighted by the OIG is when telemedicine companies arrange with practitioners to order or prescribe medically unnecessary items and services for patients who are solicited and recruited by the telemedicine companies. This is problematic for several reasons: (1) it can lead to an inappropriate increase in costs to federal health care programs, (2) it could harm patients or delay needed care by providing medically unnecessary services, and (3) it can lead to the corruption of medical decision-making.

The OIG’s recent Special Fraud Alert includes a list of “suspect characteristics” that may typify a potentially fraudulent arrangement between practitioners and telemedicine companies. This list is based upon the OIG and DOJ’s lengthy enforcement experience and is illustrative rather than exhaustive. These “suspect characteristics” identified by the OIG are as follows:

1. The patients for whom the practitioner orders items or services were recruited by the telemedicine company or an agent of the telemedicine company for free or low out-of-pocket cost items or services.
2. The practitioner does not have sufficient contact with or information from the patient to meaningfully assess the medical necessity of the items or services ordered or prescribed.
3. The telemedicine company compensates the practitioner based on the volume of items or services ordered or prescribed, which may be characterized to the practitioner as compensation based on the number of purported medical records that the practitioner reviewed.
4. The telemedicine company only furnishes items and services to federal health care program beneficiaries and does not accept insurance from any other payor.
5. The telemedicine company claims to only furnish items and services to individuals who are not federal health care program beneficiaries but may in fact bill federal health care programs.
6. The telemedicine company only furnishes one product or a single class of products, such as durable medical equipment, genetic testing, diabetic supplies, or prescription creams, potentially restricting a practitioner’s treating options.
7. The telemedicine company does not expect practitioners to follow-up with patients, nor does it provide practitioners with the information to follow up with them.

It is critical for practitioners and telemedicine companies alike to be aware of and recognize these characteristics because a fraudulent arrangement may lead to potential liability under various federal laws, including the AKS, the Civil Monetary Penalties Law provision for kickbacks, criminal healthcare fraud statutes, and the False Claims Act (FCA).

On March 22, 2022, the Department of Health and Human Services (HHS) issued a guidance statement (GL-2022-03) to clarify covered entities’ obligation to ensure that their business associates comply with HIPAA regulations.

The need for clarification arose from various complaints alleging that HIPAA business associates were failing to comply with various HIPAA Administrative Simplification requirements – which are standards for electronic transactions, code sets, unique identifiers, and operating rules in an effort to reduce paperwork and streamline business processes across health care systems. With this clarification, it is now clear both that: (1) business associates are indeed required to comply with HIPAA administrative simplification requirements; and (2) covered entities can be held responsible for their business associates’ noncompliance with such requirements.

HIPAA Covered Entities and Business Associates

By way of background, HIPAA is a federal law that creates a set of national standards for the protection of certain health information. Only certain organizations, namely, “covered entities” and their “business associates” must comply with the HIPAA Privacy Rule.

HIPAA covered entities include health plans, health care clearinghouses, and health care providers who transmits any health information in electronic form in connection with a transaction for which a standard has been adopted. See 45 C.F.R. § 160.103. A HIPAA business associate is a person (including a partnership, corporation, or other public or private entity) that performs certain services or conducts transactions on behalf of a covered entity (excluding members of a covered entity’s workforce, who are not considered to be business associates). There are four types of HIPAA Administrative Simplification Standards. These requirements, also known as Electronic Data Interchange (“EDI”) Standards, are set forth in 45 C.F.R., Part 162, and: (1) regulate transactions for pharmacy and health care administrative information, including claims; (2) impose operating rules to support standard transactions; (3) require unique identifiers for health plans, providers, and employers; and (4) require code sets (which help classify medical diagnoses, procedures, diagnostic tests, treatments, equipment, and supplies) for clinical diagnoses and procedures.  While the regulations state “covered entities” must comply with the administrative simplification standards,” they are silent on whether they apply to business associates.  Hence the need for clarification by HHS.

Key Takeaways from the Guidance Statement

In the Guidance Statement, HHS made clear that business associates are indeed required to comply with HIPAA Administrative Simplification Requirements, even though business associates are not “covered entities.” This means that when a covered entity engages a business associate, such as an accountant, IT contractor, or billing company to conduct a transaction for which a standard has been adopted on behalf of the covered entity, the business associate, and any agents or subcontractors thereof, must also comply with the requirements, and that those requirements are not just applicable to covered entities (as had previously been believed by many).

HHS also concluded that covered entities are responsible if their business associates do not comply with applicable HIPAA Administrative Simplification Requirements. There are two takeaways from this guidance.  First, covered entities are not relieved from compliance responsibility simply because they engage a business associate to provide services for, or on their behalf. Second, because a “business associate’s actions or inactions are imputed to the covered entity,” a covered entity can be held directly responsible for the failures of their business associates even if they themselves are in full compliance. 
Given these clarifications, it is more critical than ever that covered entities not only ensure that they remain in compliance with HIPAA Administrative Simplification Requirements, but that their business associates do as well.  Covered entities that have previously relied on business associates to meet certain requirements so that they do not have to will no longer be able to do so, and may face HIPAA enforcement exposure if they or their business associates fail to comply with the rules.

How can we help

AEL are expert healthcare lawyers who have significant experience with HIPAA compliance issues. Read more about our Healthcare Regulatory & Compliance Counseling and Data Privacy & Security Practice Areas. Scott R. Landau is a partner and Raquel Frier is an associate of the Firm. If you are a covered entity such as a health plan, health care clearinghouse, or health care provider, or are a business associate to covered entities, we can help you navigate the HIPAA regulations and avoid noncompliance.  If you have any questions please reach out to us.

Yesterday, the U.S. Department of Justice (DOJ) released its annual report of False Claims Act (FCA) settlements, in which it announced that the government obtained more than $5.6 billion in settlements and judgments in civil false claims and fraud cases in 2021.  Remarkably, of the $5.6 billion recovered, a staggering $5 billion — nearly 90% of the total amount recovered — came from settlements in healthcare matters involving nearly every type of player in health care, including drug and device manufacturers, hospitals, physicians and physician practices, clinical testing laboratories, hospice, long term care, and skilled nursing providers, and managed care companies. 

The FCA was designed to prevent “false claims for federal funds and property involving a multitude of [] government operations and functions,” and is not limited just to the healthcare field.  FCA cases extend across a variety of industries and practices, including defense contracting, oil and natural gas, customs duties, non-competitive bidding practices, and Federal Housing Administration loans.  Essentially, the FCA covers anyone – entities and individuals – in the business of submitting claims for payment to the federal government. 

That healthcare recoveries constitute the overwhelming majority of FCA recoveries in given year is nothing new. Quite the contrary, save for 2014 (when FCA settlements largely stemmed from the housing and mortgage crisis), healthcare has been the primary source of FCA recoveries in recent years, with total recoveries since 2015 totaling as follows:

2015 – Healthcare comprised $1.9 billion (54.29%) of $3.5 billion total

2016 – Healthcare comprised $2.5 billion (53.19%) of $4.7 billion total

2017 – Healthcare comprised $2.4 billion (64.87%) of $3.7 billion total

2018 – Healthcare comprised $2.5 billion (89.29%) of $2.8 billion total

2019 – Healthcare comprised $2.6 billion (86.67%) of $3 billion total

2020 – Healthcare comprised $1.8 billion (81.82%) of $2.2 billion total

So, while 2021’s figures are not necessarily surprising, DOJ’s primary focus in the false claims and civil frauds space continues to be on the healthcare industry. And despite statements from DOJ’s regarding increased scrutiny on industries other than healthcare (such as cybersecurity and government procurement), it seems unlikely that this pattern will change anytime soon, especially considering the historic levels of emergency funding that were provided by federal agencies to healthcare providers in response to the COVID-19 pandemic, as well as the cases and individuals who have already been charged (and in some cases, sentenced) related to Paycheck Protection Program (PPP) and/or Economic Injury Disaster Loan (EIDL). Quite the contrary, all indications are that the trend of continued scrutiny of and enforcement against healthcare providers – both from DOJ directly and from whistleblowers in “qui tam” actions – will continue to surge in the coming years.

AEL are expert healthcare lawyers and have significant experience navigating providers healthcare adjacent concerns through the complicated and often treacherous waters of FCA cases and parallel criminal and civil proceedings. We also specialize in healthcare related regulatory counseling, both in transactions and day-to-day healthcare operations, so that our clients can proactively and confidently identify legal/regulatory issues before they arise and avoid FCA exposure down the road.  If you have any questions or we can assist you in any way please reach out to us to discuss.

Following years of debate and delay, in late December 2020, Congress passed the “No Surprises Act,” to protect patients against “surprise bills” for services provided by out-of-network providers at in-network facilities.  Recently, in July 2021, the Departments of Health and Human Services (HHS), Labor, and Treasury published an interim final rule (“IFR”) implementing certain provisions of the Act. Below is a high-level summary of the key provisions of Act and the IFR, as well as a list of takeaways for providers to consider going forward.

Surprise Billing

Surprise billing occurs when a patient receives a bill after unknowingly receiving care (in both emergent and non-emergent settings) from a provider who does not participate in their health plan network.  Many states, including New York and New Jersey, instituted surprise billing prohibitions over the last few years, with varying and sometimes conflicting provisions and protections.  See, e.g., McKinney’s Financial Services Law § 603(h).  Among other things, the inconsistencies between state-level surprise billing prohibitions led to the birth of a federal solution, the No Surprises Act (the “Act”).

The No Surprises Act

The Act prohibits balance billing for non-emergency services furnished by out-of-network providers during a patient’s visit at an in-network facility unless the patient “waives” their rights under the Act by consenting to receive services from (and be billed) by an out-of -network provider (more on this below). The Act is intended to “protect patients from surprise medical bills and promote fairness in payment disputes between insurers and providers.” Importantly, the Act is not intended to preempt “state-level solutions already on the books” so long as such “solutions” do not prevent the application of federal requirements.

The Interim Final Rule

The IFR prohibits surprise billing in the following three circumstances:

• When a patient receives emergency services from an out-of-network provider. Under the IFR, “emergency services” include services that may be required if the patient ends up being admitted to the hospital.
• When a patient receives non-emergency services from an out of network provider at an in-network facility.
• For air ambulance services.

Under the IFR, patients may waive their rights under the Act and consent to balance billing for services rendered by an out-of-network provider. A valid waiver requires both voluntary and informed consent. To ensure proper consent, the government created a standard notice and consent form; the form requires some customization, including the provider’s name and a good faith estimate of the amount charged for the services provided, and must be made available to patients in the 15 most common languages in the provider’s geographic region.

The IFR also sets forth specific timing protocols. The notice and consent form must be given to the patient either (1) at least 72 hours before their scheduled appointment or (2) on the day of their appointment at least three hours before services are provided. Patients may request a copy of the notice and consent form in any format they select (i.e., e-mail, printout, mail). If a patient signs a notice and consent form, the out-of-network provider is required to send a copy to the patient’s health plan.

If the IFR applies, patients only need to pay their in-network cost share responsibilities for the services received. Where a patient’s cost share amount is based on a percentage of charges, the in-network percentage is applied to the “recognized amount.” The recognized amount is determined, in order of priority, as follows: by (1) An All-Payer Model Agreement, (2) specified state law, or (3) the lesser of (a) the amount billed by the out-of-network provider or (b) the Qualifying Payment Amount (“QPA”). The IFR does not contain time limits as to when a complaint regarding a violation of the Act must be made. The government is, however, currently seeking public comments and suggestions on this issue, and will presumably update the IFR (or make it a non-interim Final Rule at some point) when determinations are made on this issue.

What Do You Need to Know?

Though the IRF is an “interim” rule, it is also a “final” rule –meaning that unlike a proposed rule, it is now in effect. So while additional regulation on open issues is likely to issue in the coming months, provider compliance with the No Surprises Act and its implementing regulations in the IFR is now required.  Providers should thus take steps now to ensure compliance with the IRF, including:

• Adjusting patient schedules, if needed, to comply with the IFR’s timing protocols regarding notice and consent requirements.
• Consideration of how the law and rules impact decisions regarding payor network participation.
• Updates to websites to ensure that they contain the required surprise billing disclosures prior to 1/1/2022.
• Collaboration with payors to ensure timely communication.

AEL is of course continuing to monitor the landscape and will provide updates as they become available.  In the meantime, if you have any questions about compliance with the No Surprises Act or any state-level surprise billing rules and regulations, please reach out to us and we will be happy to assist.

Yesterday, much to the dismay of lawmakers, providers, and my fellow “Stark nerds,” CMS gave itself yet-another year to finalize long-anticipated and much needed changes to regulations promulgated under the Physician Self-Referral Law (a/k/a the “Stark” law).  With this additional delay, it is now beyond question that the U.S. Department of Health and Human Services’ (HHS) so-called “Regulatory Sprint to Coordinated Care” is really more of a “mosey.” 

As currently structured, the Stark regulations and those promulgated under its cousin the Antikickback Statute (AKS) aim to prevent fraud and abuse concerns inherent in a fee-for-service based payment system (such as overutilization and overbilling). These rules were not only built for what is fast becoming an outdated system as we shift from fee-for-service to value-based payment, they actually discourage providers from pursuing innovative quality and value-based delivery and compensation models (I’ve previously described them as “analog regulations for a digital world”). And it is not tenable to mandate, by law (the Accountable Care Act, among others), that healthcare providers transition to a value-based system when the regulations still on the books inhibit them from doing so.

Recognizing this dilemma, in 2018 HHS launched its “Regulatory Sprint to Coordinated Care” with the laudable goal of reducing the regulatory hurdles prohibiting innovate value and quality-based delivery arrangements and care-coordination activities. Soon thereafter, HHS requested public comments on ways that the Stark and AKS regulations could be improved and modified to encourage care coordination and value-based care, and it seemed like things were quickly moving in the right direction. 

But then, nothing.   

It took almost a whole year from the request for comments for CMS and HHS to issue proposed rules to “modernize and clarify” the Stark and AKS regulations, which they did in October 2019.  And though the proposed rules included new value-based exceptions and safe-harbors and modified and clarified many others that are frequently relied upon by providers, many  commentators noted that the proposed changes did not go far enough to provide the relief providers needed to encourage them to explore innovate arrangements and effect systemic meaningful change. Those who voiced concerns were proven right when the COVID-19 crisis hit, and HHS had to issue blanket waivers of certain Stark law prohibitions (and corresponding yet aggravatingly-impotent AKS “enforcement discretion”) in order to permit providers to pursue innovative arrangements designed to expand care delivery to patients.  Yet despite overwhelming support for regulatory reform from all sides – including providers, facilities, patients, and policymakers – all of whom agree that paving the way for providers to participate in payment models where physicians and facilities can share financial rewards for delivering lower cost and higher-quality care, no permanent changes have yet to be made.  And so, the old “analog” rules remain in place.

Earlier this week, more than 70 members of Congress wrote to HHS and the White House Office of Management and Budget (OMB) asking them to “finalize already” (not a direct quote) the proposed Stark and AKS rule changes in order to allow for increased coordination and improved care for patients.  In response, the next day CMS issued its notice indicating that final updates to the Stark regulations would not be issued until August 2021.  Though there is no official word yet regarding timing of finalizing changes to AKS regulations, it seems likely that those efforts will be delayed as well, as the proposed Stark and AKS rule changes were proposed in tandem and in many ways are interrelated. 

We recognize that the COVID crisis necessarily delayed these processes and understand that regulators are still “working through the complexities of the issues.”  We also appreciate that regulators can exercise enforcement discretion in certain situations.  But such discretion can only go so far, and without actual, meaningful regulatory reform, providers will remain discouraged from fully and whole-heartedly pursuing value and quality-based care delivery and payment arrangements, and the costs associated with vetting innovative arrangements for compliance with antiquated regulations will continue to be incurred.  And ultimately it is patients who will suffer without fully coordinated care, and taxpayers who will bear the costs of our increasingly inefficient systems. 

We will of course continue to monitor the landscape and provide updates as soon as they are available.  But unfortunately, our hopes for regulatory reform anytime soon are fast-fading. 

It goes without saying that the COVID-19 pandemic has changed the healthcare delivery landscape in America.  Since the March 6, 2020 public health emergency declaration (PHE), providers have, out of necessity, pivoted from primarily providing services via in-person visits to providing services via telehealth modalities — so they can continue to care for patients while at the same time reducing exposing healthcare workers to the disease, preserving personal protective equipment (PPE), and minimizing the impact of patient surges on facilities.  But even though telehealth has proven so critical and useful over the last few months, the question still remains: is telehealth here to stay, or is it just another passing fad like the KE diet, or Beanie Babies??

Telehealth – which includes a broad range of technologies for providing patient care and improving healthcare delivery via “remote” means (including “telemedicine,” which is a subset of telehealth that refers solely to the provision of clinical services via interactive two-way communication) – has actually been around, in one form or another, for decades.  Over the past 10 or so years, significant technological advances have resulted in increased telehealth acceptance and usage by providers and patients alike.  It was even becoming a “hot target” for government enforcement pre-pandemic, with two large “takedowns” (in April 2019 and September 2019) related to telehealth kickbacks and other billing fraud schemes (and when something becomes the target of government enforcement actions, you know it is has become ubiquitous, as the government is often the last to the party).

But, as we previously reported back when we were much better about writing regular blog posts, pre-pandemic services delivered by telehealth modalities were only reimbursed by Medicare under limited circumstances (mostly involving rural providers and patients), and thus, were relatively underutilized.  Following the March 6, 2020 PHE declaration and CMS’ March 16, 2020 “1135 waivers” (which relaxed many of the prior restrictions on Medicare reimbursement for telehealth services), however, telehealth usage by Medicare beneficiaries and patients covered by Medicaid, as well as patients with coverage through commercial payors (who largely followed Medicare’s lead and adopted coverage and reimbursement for telehealth in alignment with federal and state mandates) boomed.  According to new data from Fair Health’s tracking tool, from May 2019 to May 2020, telehealth claim lines increased by 5,680% nationally, from 0.15% of medical claim lines in May 2019 to 8.69% in May 2020.  And though telehealth usage appears to have plateaued since May, it remains a critical tool in the providers’ toolbox as the COVID-19 crisis continues to cause havoc across the land.

Ultimately what will become of the myriad waivers and regulatory flexibilities implemented by the government post-PHE remains to be seen and is the subject of speculation and debate in the healthcare world.  Recent government actions, however, seem to suggest that many longstanding restrictions on telehealth usage and reimbursement will continue to be “relaxed” post-pandemic and may even be discontinued altogether – allowing Telehealth to become a more permanent feature of healthcare delivery in America. Specifically, in just the last few weeks, the government has taken the following important actions impacting Telehealth usage and reimbursement:

• Effective July 25, HHS renewed the COVID-19 PHE.  Had the PHE not been renewed, the pandemic-related Telehealth would have expired and things (Telehealth related things, anyway) would have gone back to “normal.” With this most recent renewal, the PHE is extended for another 90 days and will now expire on October 23, 2020 unless renewed again (which seems likely) or if the HHS Secretary terminates it earlier.

• On August 3, President Trump signed an executive order to expand access to Telehealth services in rural communities and make certain Telehealth services permanent once the COVID-19 public health emergency (PHE) ends. The order seeks to build upon CMS’s previous Telehealth expansions permitting providers to provide telehealth services across state lines and boosting reimbursement rates.  Additionally, the order: (1) requires HHS to implement a new payment model designed to meet the needs of rural communities; and (2) calls for the government to deploy a “joint initiative focused on improving healthcare infrastructure in rural areas.

• On the heels of the August 3 executive order, CMS issued a proposed rule announcing policy changed for Medicare payments under the Physician Fee Schedule (PFS) for calendar year (CY) 2021, and other Medicare Part B issues.  With respect to telehealth, the proposed rule, which is 1353 pages long (no, we did not read the whole thing), proposes, among other things: (1) Expanding Medicare beneficiary access through Telehealth to carry out, among other things, home visits for evaluation and management (E&M) services and some visits for individuals with cognitive impairments; and (2) Temporarily continuing payment for telehealth services for emergency department visits and other services to give the healthcare community “time to consider whether these services should be delivered permanently through telehealth outside of the” PHE. It also calls for suggestions for other telehealth services that should be reimbursed by Medicare, to be submitted via comments by October 5,

• The HEROES Act, which was passed by the House of Representatives in May, includes direct funding and other provisions aimed at increasing telehealth access and infrastructure, and the plan proposed by Senate leadership seeks to extent telehealth waivers and increase access and benefits to employees who do not work full time or may not otherwise qualify for employer coverage. 

Clearly these are all steps towards making telehealth a larger and more permanent feature of the U.S. healthcare system.  That said, expansion of telehealth by both government and commercial payors, however, is not without its hurdles – including technology costs, operational challenges, provider comfort with virtual modalities, and training needs.  There is also the issue/question of fee rates, with many payors viewing telehealth as a way to save money relative to in-person visits (in states where there are no telehealth “parity” laws), while providers — many of whom are already facing rate reductions and increasing expenses – fear (rightfully) that fee disparities will only further disrupt the already delicate economics of running hospitals, healthcare institutions, and professional practices.

Additionally, in order for telehealth to become a permanent feature of healthcare in America, significant legal changes (on both the federal and state levels) will be needed.  While some of this can be done “administratively” via executive action and agency rulemaking and guidance, at the end of the day, real change will ultimately require congressional action via legislation, as CMS’ regulatory authority outside of the PHE is largely limited to what types of services can be provided via telehealth, and CMS cannot make telehealth reimbursement available permanently or permanently expand the list of providers authorized to provide services via telehealth.  As CMS Administrator Seema Verma has stated, “telemedicine can never fully replace in person care, but it can complement and enhance in-person care by furnishing one more powerful clinical tool to increase access and choices” for patients.  To what extent telehealth will become a permanent “complement” to in-person services, however, remains an open question, and one to which there is likely not a “one size fits all” answer.  We will of course continue to monitor the landscape and provide updates as they become available.  And if you have any questions about telehealth/telemedicine, please reach out to us and we will be happy to assist.

On April 24, 2020, the Office of Inspector General for the U.S. Department of Health and Human Services (“OIG”) issued responses to frequently asked questions (“FAQs”) regarding application of its administrative enforcement authority (under the Antikickback Statute (“AKS”) and the Civil Monetary Penalties law (“CMP”)) to certain COVID-19 related financial arrangements. With all due respect to OIG, its responses here were so cumbersome and equivocal that they failed to give healthcare providers the clarity and assurances they need to nimbly and creatively provide efficient patient services in this constantly-evolving regulatory environment.

OIG’s Specific Responses to FAQs

OIG’s stated purpose in responding to the FAQs was to “ensure that health care providers have the regulatory flexibility necessary to adequately respond to COVID-19 concerns.”  While this is a laudable and important goal, many of OIG’s responses to questions submitted by stakeholders are simply too convoluted and oblique to provide actual meaningful guidance.

For example, in response to a question regarding whether mental health and substance use disorder providers can accept donations to “fund cell phones, service or data plans” for patients who are financially needy for purposes of furnishing medically necessary services during the COVID-19 outbreak, OIG offered a lengthy and meandering response regarding the importance of technology and the fact that different relationships between donors, providers, and patients present different fraud and abuse risks, among other things. Ultimately, and with multiple caveats, OIG went on to state that the proposed arrangement “likely presents a sufficiently low risk of fraud and abuse” so long as the arrangement complied with 8 specific “safeguards” enumerated in the response.  OIG further cautioned that its response related only to the “financial relationship” between the provider and the patient, and that risks that may arise regarding financial relationships between donor and provider needed to be “separately assessed.”

Similarly, in response to another question regarding whether or not providers can furnish services “for free or at a reduced rate” to “assist skilled nursing facilities (SNFs) or other long-term care providers that are facing staffing shortages,” OIG again recited the history of its “longstanding” guidance that the provision of free goods or services to actual or potential referral sources may violate the AKS. Following this lengthy, punctation-less walk back in time, OIG eventually, indirectly, and equivocally concluded that “we believe that these circumstances likely would present a low risk of fraud and abuse” under the AKS and CMP so long as the services complied with 6 additional “safeguards” that would need to be followed.

And again, in response to a query as to whether hospitals can provide access to their web-based telehealth platforms for free to independent physicians on their medical staffs so they can furnish telehealth during the COVID-19 emergency period, instead of just responding “yes,” OIG again engaged in a lengthy recital of its longtime guidance before disguising its equivocal response (that the arrangement would present a “low risk” of fraud and abuse assuming implementation of 6 additional safeguards) in the middle of a lengthy paragraph.

While we recognize (as discussed below) that these FAQ responses constitute only “informal” and non-binding guidance, they are far from a beacon of clarity, and in many cases raise additional questions to which the answers remain unknown.

Further Caveats and Limitations on OIG’s Responses to the FAQs

Federal agency guidance often contains overarching caveats and limitations. OIG’s responses to the FAQs follow this form, and in addition to the specific caveats and limitations included in each response, they also contained multiple” “blanket limitations as well.

Most notably, OIG cautioned that: (1) its specific responses to the FAQs; and (2) responses to inquiries and questions submitted via email and outside of the formal advisory opinion process generally, constitutes “informal feedback” that “does not bind or obligate HHS, the U.S. Department of Justice, or any other agency.” Here, OIG reminded parties that the “advisory opinion process” remains available for parties seeking more formal, binding guidance, and that favorable answers provided in “informal feedback” in response to questions submitted via email will not result in “prospective immunity or protection from OIG administrative sanctions . . . or protection under Federal criminal law.” Though ostensibly “cold comfort” for providers seeking guidance in a pinch, we believe that the government would be hard-pressed to seek sanctions and/or prosecute COVID-19 related arrangements upon which OIG had previously favorably opined, even if only equivocally, in “informal,” non-binding guidance like this..

OIG further cautioned that its FAQ responses apply only to arrangements in existence “solely” during the time period subject to the COVID-19 Declaration, and that it may take “different” positions on arrangements that are “the same or similar that existed before the effective date of the COVID-19 Declaration or after the time” the declaration ends. In other words, while OIG may exercise its discretion not to enforce the AKS and/or CMP regarding certain arrangements in place during the COVID-19 crisis, those very same arrangements may still be subject to enforcement if they were in place before the crisis began or if they remain in place after it ends.

Additionally, OIG noted here that it is expressing no opinions regarding the application of any federal or state laws or rules other than the AKS and CMP, including but not limited to the Stark law. OIG further cautioned that its FAQ responses should not be read as opining on the liability of any party under the Federal False Claims Act or federal criminal laws regarding improper billing, claims submission, cost reporting, or “related” conduct. In other words, OIG’s “guidance” here relates only to its enforcement authority (and its discretion to exercise such authority) under the AKS and the CMP.

With those caveats in mind, OIG still invites the health care community to submit inquiries regarding the application of OIG’s enforcement authority under the AKS and the CMP during the COVID-19 crisis to [email protected]. OIG asks that all submissions provide “sufficient facts to allow for an understanding of the key parties and terms of the arrangements at issue,” and will continue to respond to questions submitted and update the FAQ site as it responds to additional questions.

Final Thoughts

We understand that OIG cannot issue full-throated, binding commentary outside of the formal “advisory opinion” process. That said, the length of OIG’ responses to the FAQs combined with their unusually high level (even for a government agency) of equivocation significantly diminishes their utility to front-line healthcare providers – who in this time of crisis need  straightforward guidance so that they can most efficiently and effectively deliver patient care services. While issuing FAQ responses like these certainly creates work for attorneys like us (who then have to interpret it for our provider clients), it gives little direct, practicalguidance to providers, and thus cannot enable them to be as nimble as possible during these current emergent circumstances.    All that said, if you still wish to submit questions to OIG regarding COVID-19 related arrangements through the “informal” submission process, we will be happy to assist you. Please contact us at [email protected] for more information.

As we previously reported here, on March 30, 2020, CMS issued 18 “blanket” Stark law waivers designed to put “patients over paperwork” and permit providers to engage in certain transactions meant to aid in the fight against COVID-19 but which might otherwise run afoul of technical requirements of Stark law.  The blanket waivers (“Blanket Waivers”) sought to relax certain regulatory requirements for purposes “solely related to COVID-19” response,” including waiving the requirement that payments from hospitals and providers to rent equipment or receive services from physicians (or vice versa) be within “fair market value.”

Following issuance of the Blanket Waivers, providers raised a plethora of questions and concerns. In response, on April 22, 2020, CMS issued “Explanatory Guidance” relating to the “scope and application of the blanket waivers to certain financial relationships,” and to address certain issues and queries raised by stakeholders about the waivers.

Interestingly, in the introduction to the Explanatory Guidance, CMS appears to suggest that the intent of the parties will be considered by the government in False Claims Act (FCA) cases alleging Stark law violations for arrangements that may be covered by the Blanket Waivers. Specifically, CMS stated here that “the Secretary [of HHS] will work with the Department of Justice to address False Claims Act relator suits where parties using the blanket waivers have a good faith belief that their remuneration or referrals are covered by a blanket waiver.” Given that the Stark law is a “strict liability” statute under which intent is ordinarily irrelevant, this could be a significant development limiting the specter of FCA cases based on alleged Stark law violations in the wake of the COVID-19 crisis. 

In the Explanatory Guidance, CMS also addressed the following specific issues related to the Blanket Waivers:

• Compliance with Non-Waived Requirements of an Applicable Exception: Here, CMS clarified that while the Blanket Waivers eliminate or amend only some requirements of existing Stark law exceptions, providers still have to satisfy all non-waived requirements of an applicable exception.

• Amendment of Compensation Arrangements (During Emergency Period): Here, CMS clarified that if parties amend the remuneration terms of an existing arrangement during the “emergency period” based on the “Blanket Waivers,” (1) the amended arrangement still must satisfy all non-waived requirements of the applicable Stark exceptions(s), and (2) that following expiration of the emergency period the renumeration terms may again be modified to return to the original terms or to effectuate additional necessary modifications.

Interestingly, CMS used this opportunity to state that, contrary to many providers’ (and attorneys) belief, that it interprets the preamble guidance in the Fiscal Year 2009 Inpatient Prospective Payment System (FY 2009 IPS) final rule (73 FR 48434) to allow amendments to the remuneration terms of compensation agreements even within the first year after an initial amendment of the remuneration terms of the arrangement, provided that: (1) each time the remuneration terms are amended all requirements of an applicable Stark exception are still satisfied; (2) the amended remuneration is determined before the amendment is implemented; (3) the formula for the amended remuneration does not take into account the volume or value of referrals or other business generated by the referring physician; and (4) the overall arrangement remains in place for at least 1 year following the arrangement. This additional nugget – in particular the statement that CMS expects such arrangements to “stay in place” rather than be for “terms” of at least 1 year – is itself confusing, and is bound to lead to more questions regarding this “guidance” in the future.

• Applicability of Blanket Waivers to Indirect Compensation Arrangements: Here, CMS clarified that while the Blanket Waivers only related to “direct” compensation arrangements under the Stark law, parties “may request an individual waiver” with respect to “indirect” compensation arrangements.”  CMS further noted here that arrangements where physicians own the subject physician organization, the arrangement may not need to be analyzed as an “indirect” compensation arrangement and instead should be analyzed as a “direct” arrangement based on the “stand in the shoes” provisions of the Stark law.

• Repayment Options for Money Loans Between a DHS Entity and a Physician (or the Immediate Family Member of a Physician): Blanket Waivers # 10 and # 11 address remuneration in the form of loans with interest rates below FMV or on terms that are unavailable from lenders not in a position to make referrals to or generate business for the party making the loan. Regarding these waivers, CMS responded to providers’ inquiries about form of loan repayment by stating that cash payments are not required to satisfy the debts and that instead, borrowers could repay the loans through in-kind payments (including potentially through the provision of office space, items, or service to the physician lender) so long as the aggregate value of in-kind repayments are consistent with the amount of the loan balance being reduced through the in-kind payments and are commercially reasonable. CMS cautioned here, however, that Blanket Waivers # 10 and # 11 do not waive sanctions related to referrals and claims related to the repayment of the loan. In other words, the loans must be repaid (whether through cash or in-kind payments), and loan forgiveness may form the basis for liability under the Stark law (and the Antikickback statute as well).

• (Timing of) Repayment of Loans, Rent Abatement, or Other Amounts Due Following the End of the Emergency Period: Here CMS clarified loans, rent abatements, or for other items (such as office space, equipment, items, or services) provided at below fair market value do not have to be repaid prior to the termination of the Blanket Waivers and that, instead, appropriate repayment obligations agreed to prior to termination of the Blanket Waivers may continue beyond such termination without running afoul of the Stark law.

• Restructuring of Existing Recruiting Arrangements with Income Guarantees: In response to inquiries about restructuring existing physician recruiting arrangements such as income guarantees to address practice interruptions, CMS clarified that the Blanket Waivers do not address or relax the requirement that the terms of a physician recruitment arrangement cannot be altered once the physician has relocated his or her practice. However, CMS did note that Blanket Waivers # 5 (waiving sanctions for referrals related to below FMV rental charges) and # 10  (waiving sanctions for loans to physicians with below FMV interest rates) may be available to waive sanctions for remuneration from hospitals (or other entities) to assist physicians whose medical practices experience interruption from the COVID-19 outbreak in order to maintain the availability of medical care and related services for patients and the community during the national emergency.

If you have any questions about the Explanatory Guidance or the Blanket Waivers generally, please contact us and we will be happy to assist.

On the heels of CMS’s “blanket” waivers (the “Blanket Waivers”) of Stark Law enforcement during the COVID-19 crisis (about which we wrote about on March 31, 2020 below), the HHS Office of Inspector General (“OIG”) – the federal agency responsible for the Anti-Kickback Statute (“AKS”) – has issued a Policy Statement announcing that it will not impose administrative sanctions for certain financial arrangements related to COVID-19 services that are exempted from Stark Law liability under the Blanket Waivers but which might still run afoul of the AKS.  

In its Statement, OIG recognized how crucial it is for the healthcare industry to focus on delivering efficient and effective patient-care services during the COVID-19 crisis, which may require parties to enter into arrangements that might not otherwise neatly fit within an AKS “safe harbor.” To avoid the need for parties to “undertake a separate legal review under the [AKS] for” financial arrangements protected by the Blanket Waivers, OIG has agreed to exercise “enforcement discretion” and refrain from imposing administrative sanctions under the AKS with respect to any remuneration between parties that is “exempted” from Stark law liability by sections II.B.(1) through (11) of the Blanket Waivers. For administrative efficiency, all of the conditions and definitions that apply to the Blanket Waivers shall apply to the OIG policy.

Notably, this policy does not apply to remuneration associated with referrals described in sections II.B.(12)-(17) of the Blanket Waivers, for which OIG is asking parties to submit questions to [email protected] for further guidance.  This policy also has no bearing on arrangements that implicate the AKS that are not covered by the Blanket Waivers, such as direct financial relationships between pharmaceutical or device manufacturers and physicians or between providers where there is no physician involved. It should also be noted that this policy only applies to conduct occurring on or after April 3, 2020 and that it shall terminate on the same date as the date that the Blanket Waivers terminate. As expected, the government continues to issue waivers, guidance, and changes to healthcare law and policy at a rapid rate as the COVID-19 crisis continues to test and strain national healthcare resources.  If you have any questions about this policy or any other policy changes, or wish to submit questions to OIG regarding any COVID-19 related arrangements, please contact us at [email protected] or call us at (646) 970-7340 and we will be happy to assist you.

Following President Trump’s declaration of a national emergency, the Secretary of the Department of Health and Human Services (HHS) announced on March 13, 2020 a “waiver” of certain laws and regulations related to Medicare, Medicaid, and other federal healthcare programs.  According to HHS, the waivers were issued:

To ensure that sufficient health care items and services are available to meet the needs of individuals enrolled in the Medicare, Medicaid and CHIP programs and to ensure that health care providers that furnish such items and services in good faith, but are unable to comply with one or more of these requirements as a result of the consequences of the 2019 Novel Coronavirus (previously referred to as 2019-nCoV, now as COVID-19) pandemic, may be reimbursed for such items and services and exempted from sanctions for such noncompliance, absent any determination of fraud or abuse.

While the March 13 waivers contained “blanket” exemptions from certain rules and requirements under laws such as HIPAA and EMPTALA, and from certain Medicare “Conditions of Participation” and rules regarding telehealth services (about which we previously written), it did not provide any “blanket” protection against enforcement and sanctions under the Physician Self-Referral law, better known as the “Stark” Law.  Instead, HHS waived sanctions under the Stark law only “under such conditions and in such circumstances as the Centers for Medicare & Medicaid Services determines appropriate.”  In other words, on a “case by case” basis upon submission of a request for an exemption for a specific arrangement (including justification for the waiver and the expected time needed for the waiver), and approval by CMS.  

Because HHS did not at that time adopt “blanket” Stark law waivers or offer additional guidance regarding how the “case-by-case” Stark law waivers would be applied during the crisis, providers were left confused and in the lurch as to whether (and how) they could pursue innovative arrangements meant to quickly and efficiently expand care delivery to patients without running afoul of the often cumbersome “technical” requirements of the Stark law governing such arrangements. Recognizing the severity of this problem, the American Hospital Association (AMA) wrote to HHS on March 20, 2020, urging that immediate steps be taken to suspend enforcement of the Stark law and the Antikickback Statute (AKS) in order to enhance hospital and providers ability to “engage in a wide array of transactions – from barter to short-term contracts and leases – without worrying about the niceties of complying with the technical requirements of a particular Stark Law exception or an Anti-Kickback Statute safe harbor.” In their letter, the AMA proposed multiple potential relief measures, including exceptions to the definition of “compensation arrangement” under the Stark law, exempting certain forms of “remuneration” from AKS liability, and directing that transactions between hospitals, physicians, and other referral sources with the primary purpose of delivering supplies and services in response to the COVID-19 crisis should not be subject to sanctions or prosecution. 

Yesterday, CMS answered the call to action and issued a number of “blanket” Stark law waivers designed to put “patients over paperwork” and permit providers to engage in certain transactions meant to aid in the fight against COVID-19 but which might otherwise run afoul of technical requirements of Stark law.  These waivers, include the following:

• Hospitals and other health care providers can pay above or below fair market value to rent equipment or receive services from physicians (or vice versa). For example, a physician practice may be willing to rent or sell needed equipment to a hospital at a price that is below what the practice could charge another party. Or, a hospital may provide space on hospital grounds at no charge to a physician who is willing to treat patients who seek care at the hospital but are not appropriate for emergency department or inpatient care.

• Health care providers can support each other financially to ensure continuity of health care operations. For example, a physician owner of a hospital may make a personal loan to the hospital without charging interest at a fair market rate so that the hospital can make payroll or pay its vendors.

• Hospitals can provide benefits to their medical staffs, such as multiple daily meals, laundry service to launder soiled personal clothing, or child-care services while the physicians are at the hospital and engaging in activities that benefit the hospital and its patients.

• Allowing the provision of certain items and services that are solely related to COVID-19 Purposes (as defined in the waivers), even when the provision of the items or services would exceed the annual non-monetary compensation cap.

• Physician-owned hospitals can temporarily increase the number of their licensed beds, operating rooms, and procedure rooms, even though such expansion would otherwise be prohibited under the Stark Law.

• Loosening some of the restrictions when a group practice can furnish medically necessary designated health services (DHS) in a patient’s home.

• Group practices can furnish medically necessary MRIs, CT scans or clinical laboratory services from locations like mobile vans in parking lots that the group practice rents on a part-time basis.

Additional details regarding these new Stark law waivers can be found here. As COVID-19 continues to test and strain national healthcare resources, we expect that the government will continue to issue waivers of certain fraud and abuse laws and regulations, to help providers expand care delivery to patients without having to worry about some of the burdensome technical limitations that could otherwise preclude such efforts.  We will of course keep you updated on any new developments in this area, and are available to answer any questions you may have about our rapidly changing healthcare regulatory environment.

Updates Regarding Telehealth Use and Reimbursement During the Coronavirus Pandemic

Following our March 17, 2020 update in which we discussed the federal government’s waiver of certain HIPAA restrictions for telemedicine services during the COVID-19 pandemic, many providers have had general questions regarding telehealth services and reimbursement during the current healthcare crisis.

Telehealth, telemedicine, and related terms generally refer to “the exchange of medical information from one site to another through electronic communication to improve a patient’s health. The remote nature of telemedicine makes it an ideal first-line tool for evaluation and management of COVID-19 without (1) the risks associated with in-person visits and (2) the threat of increased community exposure associated with traveling to in-person medical appointments. Because telemedicine is subject to myriad legal restrictions and limitations (in particular under Medicare), both federal and state government agencies have had to (and will likely continue to) issue emergency rules to waive regulatory barriers to telemedicine delivery and reimbursement. Below is a summary of notable developments to date regarding the use of telemedicine in the midst of the COVID-19 crisis:

HIPAA WAIVERS FOR PROVISION OF TELEMEDICINE

As discussed in our March 17 update, the HHS Office for Civil Rights (“OCR”) announced that, effective immediately, it would exercise “enforcement discretion” and waive penalties for HIPAA violations against healthcare providers that communicate with patients and provide telehealth services in “good faith” through “everyday” communications technologies such as Skype, Google Hangouts, Facebook Messenger, and FaceTime during the COVID-19 national emergency. As noted, this waiver applies to telehealth provided for any reason, not just services related to the diagnosis or treatment of health conditions related to COVID-19.

WAIVER TO EXPAND MEDICARE PAYMENTS FOR TELEHEALTH SERVICES

On March 16, 2020, CMS published a “blanket” waiver to allow Medicare payment for visits provided via telemedicine (prior to this waiver, Medicare only paid for telehealth services under limited circumstances). Under this new waiver, Medicare can now pay for office, hospital, and other visits furnished via telehealth across the country and including in patient’s places of residence starting March 6, 2020.  A range of providers, such as doctors, nurse practitioners, clinical psychologists, and licensed clinical social workers, will be able to offer and be reimburse by Medicare for three (3) types of “Virtual services”:

1. Medicare “telehealth visits” (which will be considered the same as in-person visits and will be paid at the same rates as regular, in-person visits);
2. Virtual Check-ins (Brief, patient-initiated communications via telephone call or information exchange via text, email, or patient portal, with practices they have an existing relationship with); and
3. E-visits (patient-initiated communications with their doctors via online patient portals).

There appears to be some overlap between these types of services, in particular “Virtual Check-ins” and “E-Visits.” Additional information can be found in the Medicare Telemedicine Health Care Provider Fact Sheet.

CMS ENCOURAGES EXPANDING TELEHEALTH FOR MEDICARE ADVANTAGE PATIENTS

On March 10, 2020, CMS issued guidance to Medicare Advantage (MA) plans informing them of their “obligations and permissible flexibilities” related to disasters and emergencies resulting from COVID-19. In the guidance, CMS advised that MA plans may provide enrollees access to Medicare Part B services via telehealth in any geographic area and from a variety of places, including beneficiaries’ homes.  CMS further advised that MA plans may waive or reduce enrollee cost-sharing obligations for COVID-19 related treatment delivered by telemedicine.  Such changes to MA plans can be implemented immediately by MA organizations without further approval from CMS.

DOJ CAUTIONS THAT FRAUD RELATED TO COVID-19 WILL BE PROSECUTED

In the wake of the Coronavirus pandemic, DOJ has cautioned the American public against emerging fraud schemes related to COVID-19 and has asked the public to report suspected fraud. On March 20, 2020, Attorney General William P. Barr directed all U.S. Attorneys “to prioritize the investigation and prosecution of Coronavirus-related fraud schemes,” and each U.S. Attorneys’ Office was mandated to appoint a lead prosecutor to coordinate prosecution of Coronavirus-related crimes as well as outreach and public awareness efforts. In recent years, telemedicine been an area rife for federal enforcement.  It was a focus of Department of Justice’s (DOJ) September 2019  Health Care Fraud Takedown — which included charges against 48 individuals submitting claims for more than $160 million involving fraudulent telemedicine companies. More recently, DOJ’s Medicare Fraud Strike Force announced charges against the owners of two telemedicine companies for their roles in a $56 million conspiracy to defraud Medicare.  DOJ has announced its first enforcement action related to COVID-19 fraud, and given AG Barr’s March 20, 2020 directive, we have no doubt that the federal government will vigorously investigate and prosecute fraud related to telemedicine during the COVID-19 crisis.

HHS-OIG WAIVES ADMINISTRATIVE SANCTIONS FOR REDUCING OR WAIVING PATIENT COST-SHARING OBLIGATIONS RELATED TO COVID-19 TREATMENT

In a Policy Statement issued on March 17, 2020, the HHS Office of Inspector General (“OIG”) notified physicians and other practitioners that they will not be subject to administrative sanctions for reducing or waiving any cost-sharing obligations (if they choose to do so) that federal healthcare program beneficiaries might otherwise owe for telehealth services furnished during the “time period subject to the COVID-19 Declaration.”  The Policy does not affect or waive providers’ responsibilities to bill only for services performed and to comply with all legal authorities related to proper billing, claims submission, and cost reporting, which, as noted above, will be still subject to investigation and possible prosecution.

NYS MEDICAID EXPANDS PERMISSIBLE USES OF TELEHEALTH SERVICES

In February 2019, NYS Medicaid expanded the permissible use of telehealth services. Under the NYS Insurance Law and Public Health Law, services that are covered under a comprehensive health insurance policy or contract cannot be excluded when the service is delivered via telehealth.  During the COVID-19 crisis, the NYS DOH is encouraging the use of telehealth for providing COVID-19 related services to Medicaid members.

NYS MEDICAID EXPANDS REIMBURSEMENT FOR TELEPHONE EVALUATIONS

Effective March 13, the New York State Medicaid Program will reimburse providers for telephonic evaluation and management (E&M) services for established patients where face-to-face visits are not recommended and it is medically appropriate for telephonic evaluation and management of the patient.  Where face-to-face visits are not possible due to the COVID-19 crisis, telephonic visits documents that are documented as clinically appropriate will be considered “medically necessary” for Medicaid reimbursement purposes.

NYS MEDICAID COST-SHARING WAIVER FOR COVID-19 RELATED SERVICES

To ensure that cost–sharing is not a barrier to testing, NYS Medicaid will cover services including testing for COVID–19 and for physician, clinic, and emergency visits without copays for members when the purpose of the visit is testing for COVID–19. Providers should follow CDC coding guidelines below when submitting claims to Medicaid.

COMMERCIAL REIMBURSEMENT EXPANSIONS FOR TELEHEALTH SERVICES

Many commercial payors have adopted temporary reimbursement policies that expand members access to telehealth services, including waiving cost-sharing and prior authorization requirements for COVID-19 testing and telehealth services.  Please check with the commercial payor networks in which you participate to determine what policies have been implemented to facilitate expanded telehealth services.

* * *

As the COVID-19 crisis worsens, we expect that government and commercial payors will take additional steps to expand and encourage delivery of healthcare services via telemedicine.  We will continue to provide updates as more information becomes available.

AEL Addresses Common Questions Regarding HIPAA Compliance Amidst the Global Pandemic

Amidst the damage and disruption COVID-19 is causing, businesses and individuals have many questions about HIPAA – – and specifically, about what health information they can share (and how) without express patient authorization. Below are some FAQs that we have assembled regarding HIPAA to help guide providers and employers during these extraordinary circumstances.

What is HIPAA?

Short for the Health Insurance Portability and Accountability Act, HIPAA was signed into law in 1996 by President Bill Clinton. HIPAA primarily concerns the privacy and security of patient health information, and requires healthcare organizations to implement controls to keep patients’ medical information safe.

Who does HIPAA apply to?

HIPAA applies to “covered entities” as well as their “business associates.” “Covered Entities” include healthcare providers (such as doctors, dentists, vision clinics, hospitals, and related health caregivers), health plans, and healthcare clearinghouses. “Business associates” are persons or entities, other than a member of the workforce of a “covered entity,” who perform functions or activities on behalf of, or provides certain services to, a HIPAA Covered Entity that involve access by the business associate to protected health information.

What are the HIPAA Privacy and Security Rules?

The HIPAA “privacy rule” establishes standards for protecting patients’ medical records and other “protected health information” (PHI), and restricts the uses and disclosures of PHI by covered entities and their business associates, absent patient authorization (i.e. “permission”), to treatment, payment, and healthcare operations purposes (sometimes called “TPO”).

The HIPAA “security rule” requires covered entities and their business associates to protect patients’ electronically stored protected health information (known as “ePHI”) by using appropriate administrative, physical, and technical “safeguards”, to ensure the confidentiality, integrity, and security of this information.

Must my company comply with the HIPAA Privacy Rule if it is not a Covered Entity or Business Associate?

Technically, no. The HIPAA Privacy Rule only applies to Covered Entities and their Business Associates, and thus, only restricts uses and disclosures of individuals’ health information by employees, volunteers, and other members of a covered entity or business associate’s workforce. Though there have been past situations where the government prosecuted non-Covered Entities/non-Business Associates for improper commercial uses of PHI, given the current emergent circumstances, we do not believe that a non-Covered Entity or non-Business Associates’ use or dissemination of PHI would result in such actions unless such use or dissemination were otherwise criminal or malevolent.

If HIPAA does not apply to my company, can we share and disseminate our employees’ or customers’ health data without their permission?

Not necessarily. While the HIPAA Privacy rule restrictions on use and dissemination of PHI may not apply to your company if it is not a “covered entity” or “business associate,” other federal and state confidentiality rules, as well as contractual obligations, may still restrict your ability to use or disseminate such information without permission. We encourage you to tread carefully before using or sharing individuals’ health information, even if HIPAA does not apply to you or your company, and to consult with counsel if you have any questions or concerns.

Can healthcare providers communicate with patients or perform “telehealth” services through everyday communications technologies (such as Skype or FaceTime) during the COVID-19 crisis?

Yes. On March 17, 2020, the Office for Civil Rights at HHS announced that, effective immediately, it would exercise “enforcement discretion” and waive penalties for HIPAA violations against health care providers that communicate with patients and provide telehealth services in “good faith” through “everyday” communications technologies such as Skype, Google Hangouts, Facebook Messenger, and FaceTime (which are not fully HIPAA-compliant and cannot ordinarily be used for telehealth services) during the COVID-19 national emergency. Importantly, this waiver applies to telehealth provided for any reason, not just services related to the diagnosis or treatment of health conditions related to COVID-19.

Do HIPAA and the Privacy and Security Rules still apply during a public health emergency such as the COVID-19 outbreak?

Yes, the HIPAA Privacy and Security rules still apply during a disease outbreak, including the COVID-19 pandemic, except as specifically exempted or waived by HHS (such as for telehealth services via “everyday” communications technologies as described above). That said, the HIPAA Privacy Rule always allows PHI to be shared for the following purposes and under the following conditions, which are particularly relevant now:

• Treatment Purposes: A patient’s PHI can be disclosed without patient authorization to treat that patient or to treat a different patient. Treatment includes the coordination or management of health care and related services by health care providers, consultation between providers, and the referral of patients for treatment. See 45 C.F.R. § 164.502(a)(1)(ii), 164.506(c).

• Public Health Activities: During public health emergencies like the COVID-19 outbreak, PHI can be shared without patient authorization with: (1) public health authorities such as the CDC and state and local health departments; (2) at the direction of a public health authority, to a foreign government agency; and (3) to persons at risk of contradicting or spreading the disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or to carry out public health interventions.

• Disclosures to Prevent Serious and Imminent Threats: Covered entities may share PHI with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public, consistent with all applicable laws and standards of ethical conduct. Thus, providers may disclose patient PHI to anyone in a position to prevent or lessen a serious and imminent threat, including family, friends, caregivers, and law enforcement, without patient authorization.

• Disclosures to Family, Friends, and Others Involved in an Individual’s Care and For Notification: A covered entity may, with verbal consent if possible, share protected health information with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care. A covered entity also may share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death. This may include, where necessary to notify family members and others, the police, the press, or the public at large. See 45 C.F.R. § 164.510(b).

What specific PHI can be disclosed in these emergency situations?

Other than disclosures made by healthcare providers for the purpose of providing treatment, HIPAA’s “minimum necessary” standard applies for disclosures of PHI. The “minimum necessary” standard requires covered entities and business associates to make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose. Covered entities may rely on representations from a public health authority or other official that the requested information is the minimum necessary for the purpose, when that reliance is reasonable under the circumstances. For example, if the CDC requests from a hospital information about all patients exposed to or suspected to be exposed to COVID-19, a covered entity can safety conclude that the requested information is the “minimum necessary” for public health purposes.

How does the President’s recent declaration of a “state of emergency” impact our HIPAA Obligations?

Following President Trump’s March 13, 2020 declaration of a nationwide emergency concerning COVID-19, Secretary of the U.S. Department of Health and Human Services (HHS) Alex M. Azar exercised his authority to “waive” sanctions and penalties against covered hospitals that do not comply with the following provisions of the HIPAA Privacy Rule:

• The requirement to obtain a patient’s (verbal) agreement to speak with family members or friends involved in the patient’s care. See 45 C.F.R. 164.510(b).  The requirement to honor a request to opt out of the facility directory (see 45 C.F.R § 164.510(a)).

• The requirement to distribute a notice of privacy practices (see 45 C.F.R. § 164.522(a)).

• Patients’ rights to request confidential communications (see 45 C.F.R. § 164.522(b).

Please note that these waivers only apply: (1) in the emergency areas identified in the public health emergency declaration (which would include all of the NYC Metropolitan area); (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours after the disaster protocols are implemented. Once those 72 hours expire, hospitals must then again comply with all of the requirements of the Privacy Rule for any patients still under their care.