U.S. Supreme Court Holds Healthcare Entities Not Liable for Emotional Injury Damages Under Certain Anti-Discrimination Statutes

By Danya Blair on Posted in Health Care Providers, Healthcare Law, Healthcare Litigation, Hospitals & Health Systems

Healthcare facilities and other entities receiving federal financial assistance can breathe a little easier after a U.S. Supreme Court decision issued last week barring the recovery of emotional damages for certain discrimination claims.

Many federal anti-discrimination statutes allow recovery for “emotional injuries” that include humiliation, trauma, mental anguish, anxiety, depression, and other non-physical symptoms a plaintiff claims to have suffered as a result of discrimination. Federal appeals courts have been split on whether such damages are available to plaintiffs bringing discrimination claims under the Rehabilitation Act of 1973 (Rehab Act) and the Patient Protection and Affordable Care Act (ACA). The U.S. Supreme Court has now decided the issue, holding that emotional injuries are not recoverable under either the Rehab Act or the ACA. Continue Reading

“The No Surprises Act” a/k/a “The Act that Continues Surprising Providers”

By Kirk S. Davis and Danielle C. Gordet on Posted in Health Insurers & Managed Care Organizations, Healthcare Law, Healthcare Litigation, Hospitals & Health Systems, Physicians

The No Surprises Act (the “Act”) continues muddling through its implementation period. We have discussed the Act in prior posts, and most recently on March 8, 2022. The surprises have continued, with new updates coming out almost daily! There has been legal movement as health care providers and facilities (collectively, “Providers”) have brought lawsuits against the Departments of Health and Human Services (“HHS”), Labor, and Treasury, and the Office of Personnel Management (collectively, “Departments”).  In addition, the Centers for Medicare & Medicaid Services (“CMS”) issued answers to new frequently asked questions (“FAQs”). Continue Reading

Common Errors in State Licensing Applications

By Bruce D. Platt and Thomas A. Range on Posted in Government Affairs, Licensure & Regulatory, Healthcare Law

As a condition of doing business in the healthcare field, persons and companies must generally obtain the appropriate licenses or approvals. In addition to requirements that apply to all businesses, such as registering corporate entities with the Secretary of State or obtaining local business licenses known as business tax receipts, there are also substantive requirements that vary based on the type of services to be provided. To properly assess whether a person or a company meets the minimum substantive qualifications for licensure, state agencies require the submission of license applications. These applications request information on topics such as education, training, experience, and financial requirements. Continue Reading

Help Wanted: OCR Seeks Public Input on “Recognized Security Practices” and Sharing Settlements with Harmed Individuals Under the HITECH Act

By Elizabeth F. Hodge on Posted in Healthcare Law, HIPAA, Privacy, and Data Security

Covered entities and business associates subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) have the chance to provide input on two amendments to the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”). The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) recently issued a Request for Information (“RFI”) seeking public input regarding:

  1. How covered entities and business associates (collectively, “regulated entities”) are voluntarily implementing “recognized security practices” as identified in the HITECH Act and demonstrating how such practices are in use throughout the organization.
  2. The types of harms that should be considered in distributing civil monetary penalties (“CMPs”) and monetary settlements to harmed individuals and potential methodologies for sharing and distributing CMPs and settlement funds to harmed individuals.

We discuss the two topics covered in the RFI in more detail below.

Recognized Security Practices

The HITECH Act was amended effective January 5, 2021 (“Amendment”) to require that HHS consider whether a regulated entity has adequately demonstrated that it had in place for at least the previous twelve months “recognized security practices.” The existence of those recognized security practices may mitigate potential fines, result in early termination of audit activities, and mitigate other remedies that might be agreed to in resolving potential violations of the HIPAA Security Rule following an investigation, compliance review, or audit. The goal of the Amendment is to encourage regulated entities to do “everything in their power to safeguard patient data.”

The Amendment defines “recognized security practices” as:

  • the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act;
  • the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015; and
  • other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.

Notably, the HITECH Act does not require regulated entities to implement recognized security practices, nor does it specify how regulated entities should select which category of recognized security practices to implement. However, to be considered for mitigation of fines and other remedial requirements, organizations must be able to demonstrate that they have fully implemented the recognized security practices for the preceding twelve months. Simply providing initial documentation of the adoption of the security practices is insufficient. Rather, the regulated entity must demonstrate that such practices and procedures have been in continuous operation for at least twelve months. The statute does not specify what triggers the beginning of the twelve-month look-back period.

The RFI requests that regulated entities provide input to OCR regarding their voluntary implementation of recognized security practices, including addressing the following questions:

  • What recognized security practices have regulated entities implemented and what recognized security practices do regulated entities plan to implement?
  • What standards, guidelines, and procedures developed under section 2(c)(15) of the NIST Act do regulated entities rely on when establishing and implementing recognized security practices?
  • What approaches promulgated under section 405(d) of the Cybersecurity Act of 2015 do regulated entities rely on when establishing and implementing recognized security practices?
  • What other programs and processes that address cybersecurity (besides those developed under section 2(c)(15) of the NIST Act or section 405(d) of the Cybersecurity Act of 2015) and that are developed, recognized, or promulgated through regulations under other statutory authorities do regulated entities rely on when establishing and implementing recognized security practices?
  • What steps do covered entities take to ensure that recognized security practices are in place?
  • What steps do covered entities take to ensure that recognized security practices are in use throughout their enterprise and what constitutes implementation throughout the enterprise?
  • What steps do covered entities take to ensure that recognized security practices are actively and consistently in use continuously over a 12-month period?

Notably, in the RFI OCR refers to “regulated entities” in the first four questions and “covered entities” in the last three questions above.  Based on the full text of the RFI, it is unclear why OCR appears to limit the last three requests to covered entities and exclude business associates.

Sharing Civil Monetary Penalties and Settlements with Individuals

The HITECH Act also requires HHS to establish by regulation a methodology under which an individual harmed by a potential violation of the HIPAA Privacy, Security, and/or Breach Notification Rules may receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense. The methodology must be based on recommendations submitted by the General Accounting Office (“GAO”). OCR must base its determinations of appropriate penalty amounts on the nature and extent of the violation and the nature and extent of the harm resulting from the violation. Under the HIPAA Enforcement Rule, OCR may consider physical harm, financial harm, reputational harm, and harms that hinder one’s ability to obtain health care as aggravating factors in assessing a CMP or proposed settlement amount. However, the HITECH Act does not define “harm” generally nor the specific types of harm that OCR may consider in assessing CMPs or settlement amounts. How OCR ultimately defines what constitutes compensable harm could have far-reaching consequences beyond enforcement of HIPAA.

The GAO has recommended that OCR consider three models for the methodology to distribute a portion of CMPs and settlement amounts to individuals:

  • The Individualized Determination Model, where the plaintiff bears the burden of proof with respect to the harm suffered by the plaintiff and the liability incurred by the defendant;
  • The Fixed Recovery Model, where awards are either fixed or calculated by a formula established by law; and
  • The Hybrid Model, which combines elements of the Individualized Determination Model and the Fixed Recovery Model.

To assist it in evaluating the methodologies recommended by the GAO, OCR seeks input from all stakeholders regarding:

  • How to define “harm,” including what constitutes compensable harm for violations of HIPAA and whether harm should include non-economic harms such as emotional harm;
  • What bases should be used for deciding which injuries are compensable;
  • What factors should be considered in establishing a methodology for calculating the amount to be set aside for distribution to individuals;
  • Whether there are circumstances in which funds should not be set aside for distribution to individuals; and
  • How to provide notice to affected individuals that monetary distribution may be available.

HIPAA covered entities, business associates, and other stakeholders that want to respond to one or both topics in the RFI must submit comments to OCR by June 6, 2022.  While OCR assesses how it will respond to comments, covered entities and business associates should consider: (i) implementing recognized security practices; and (ii) how they will document that such practices are in continuous use throughout the organization to avail themselves of the mitigation afforded by the Amendment.  Covered entities and business associates should consult healthcare attorneys for assistance in this analysis.

UPDATE: No Surprises Here – Portions of the No Surprises Act Regulations Invalidated

By Kirk S. Davis and Danielle C. Gordet on Posted in Health Insurers & Managed Care Organizations, Healthcare Law, Healthcare Litigation, Hospitals & Health Systems, Physicians

The No Surprises Act (the Act) continues to bump through its initial implementation phase. As we discussed in our prior blog, out-of-network physicians and facilities (OON Providers), and their allies, are pushing back against portions of the recently issued interim final rule with comment period (the Interim Rule). Most recently, they succeeded in doing so when the Texas Medical Association, a trade association representing more than 55,000 physicians, and Dr. Adam Corley filed and won a lawsuit against the Departments of Health and Human Services (HHS), Labor, and Treasury, and the Office of Personnel Management (collectively, the Departments). The plaintiffs successfully argued that the Interim Rule unfairly protects group health plans and health insurance issuers (collectively, Plans) to the detriment of patients and OON Providers. Continue Reading

Healthcare Discrimination Based on Disability – Still Prohibited in the Pandemic!

By Kirk S. Davis and Danielle C. Gordet on Posted in Health Insurers & Managed Care Organizations, Healthcare Law, Healthcare Litigation, Hospitals & Health Systems, Physicians

It may seem as though the pandemic is coming to an end, but while COVID cases are declining,  they have not ceased. As the pandemic continues, the Department of Health and Human Services (HHS) Office for Civil Rights issued new guidance on February 4, 2022 to remind healthcare providers that federal disability laws remain in place.

The new guidance recognizes that during a public health emergency, such as the one caused by the pandemic, when resources can be scarce, individuals with disabilities may be victims of healthcare rationing. So HHS reminds providers that Section 504 of the Rehabilitation Act (Section 504) and Section 1557 of the Affordable Care Act (Section 1557) (collectively, the Anti-Discrimination Laws) both prohibit discrimination on the basis of disability. These Anti-Discrimination Laws require healthcare providers who receive HHS funds to ensure individuals with disabilities are not excluded from services, programs, or activities on the basis of disability. Continue Reading

Florida Continues Pursuit of Improved Patient Safety

By Kirk S. Davis and Danielle C. Gordet on Posted in Healthcare Law, Healthcare Litigation, Hospitals & Health Systems, Physicians

Florida is continuing its efforts to improve patient safety in hospitals and ambulatory surgical centers (ASCs).  The Florida Legislature previously approved a requirement that hospitals and ambulatory surgical centers (ASCs) conduct patient safety surveys and tasked the Agency for Health Care Administration (AHCA) with implementing a rule specifying the submission process for these surveys.  AHCA’s proposed rule (Proposed Rule) was announced on November 4, 2021.

Continue Reading

CMS Is Here To Help Healthcare Entities Comply with Its Vaccination Rule

By Kirk S. Davis and Elizabeth F. Hodge on Posted in Healthcare Law, Hospitals & Health Systems, Physicians

The Centers for Medicare and Medicaid Services (“CMS”) recently published an infographic to help Medicare and Medicaid facilities and providers determine if they or some members of their workforce are subject to the Omnibus Health Care Staff Vaccination Interim Final Rule (“Vaccine Rule”).  CMS has also issued FAQs to assist healthcare providers in assessing whether they are subject to the Vaccine Rule and if so, what they must do to comply with it.  The FAQs were most recently updated as of January 20, 2022 and are available here. Medicare- and Medicaid-certified providers and suppliers are encouraged to monitor further compliance guidance from CMS.

Surprised Providers Seek Changes to Latest Provisions of the No Surprises Act

By Kirk S. Davis and Danielle C. Gordet on Posted in Health Insurers & Managed Care Organizations, Healthcare Law, Healthcare Litigation, Hospitals & Health Systems, Physicians

Effective January 1, 2022, new billing protections went into effect that have the goal of providing greater protections for patients against surprise medical bills. As we discussed in our prior blog, the Departments of Health and Human Services, Labor, and Treasury, and the Office of Personnel Management (collectively, the Departments) implemented these additional protections that are part of the No Surprises Act as an interim final rule with comment period (Interim Rule).  Unfortunately, many healthcare providers are concerned the new provisions unfairly protect group health plans and health insurance issuers (collectively, Plans) to the detriment of patients and out-of-network physicians and facilities (Out-of-Network Providers).

The majority of the criticism against the Interim Rule focuses on the creation of a federal Independent Dispute Resolution (IDR) process. The IDR process provides a method for Plans and Out-of-Network Providers to determine the out-of-network rate for applicable items or services after an unsuccessful open negotiation. Once an IDR entity is selected, the parties must each submit to the IDR entity their offers for payment along with supporting documentation. The IDR entity uses that information to determine the appropriate out-of-network amount.

The IDR entity is required to begin with the presumption that the qualifying payment amount (QPA) is the appropriate amount.  In general, the QPA is the Plan’s median contracted rate for the same or similar service in the specific geographic area.  This presumption is the basis of the controversy as the Out-Of-Network Providers deem a Plan’s median contracted rate to be an inappropriate starting point.

The American Hospital Association, the American Medical Association, and other co-plaintiffs (collectively, the Plaintiffs) filed a complaint in the United States District Court for the District of Columbia on December 9, 2021, arguing that the IDR process deviates from the original law.  The Plaintiffs support the goal behind the IDR, which was to bring both parties to the table and allow them to present relevant information to support their payment offers.  The lawsuit challenges the way the Interim Rule “undermines the independence of the IDR process and the fairness of the No Surprises Act by severely tilting the scales towards the QPA.” The Plaintiffs ask the court to set aside the requirement that the arbitrators use a presumption in favor of the QPA, arguing that the requirement is contrary to law and in excess of the Departments’ statutory authority. On January 7, 2022, the Physician Advocacy Institute, 16 state medical associations, and nine national medical specialty societies, filed an amicus brief supporting the Plaintiffs’ lawsuit.

Others are also pushing back against the Interim Rule.  On November 5, 2021, a bipartisan group of 152 House members wrote the Secretaries of the Departments, urging them to amend the IDR process.  The letter provides: “This directive establishes a de-facto benchmark rate, making the median in-network rate [the QPA] the default factor considered in the IDR process. This approach is contrary to statute and could incentivize insurance companies to set artificially low payment rates, which would narrow provider networks and jeopardize patient access to care – the exact opposite of the goal of the law. It could also have a broad impact on reimbursement for in-network services, which could exacerbate existing health disparities and patient access issues in rural and urban underserved communities.”

There certainly is more to come on this as the lawsuit moves forward.  Out-of-Network Providers must remember that, for the time being, the IDR process must be followed in accordance with the Interim Rule.  To assist Out-of-Network Providers who feel the presumption in favor of the QPA will unfairly harm them and patients, we outline the factors the Interim Rule details as those that will be considered by the IDR entity when deciding whether the QPA is the appropriate out-of-network amount.

The IDR entity will consider the following credible information when determining if the information submitted by an Out-of-Network Provider clearly demonstrates that the QPA is materially different from the appropriate out-of-network rate for the item or service:

  • The QPA failed to take into account the experience or level of training of the Out-of-Network Provider that was necessary to provide the items or services to the patient;
  • The Plan has a majority of the market share in the geographic region where the items or services were provided (e.g., a Plan having the majority of the market share in a geographic region may establish that the QPA is unreasonably low, as Plans with a large market share could drive down rates);
  • The patient acuity or the complexity of furnishing the item or service to the individual is an outlier because the intensity of care exceeded what is typical for the particular service code or modifier, thereby helping to establish that the QPA does not adequately take the case’s complexity into account;
  • The teaching status, case mix, and scope of services of the out-of-network facility was critical to the delivery of the item or service (e.g., a hospital’s trauma level certification may be considered when the item or service involves trauma care that could not be performed at a lower-level hospital, but only if the QPA does not already account for this factor);
  • The Out-of-Network Provider made good-faith efforts to enter into a network agreement with the Plan and, if applicable, the contracted rates between the Out-of-Network Provider and the Plan during the previous four Plan years (e.g., the IDR entity may consider what the contracted rate might have been had the Out-of-Network Provider and the Plan entered into a network agreement);
  • Any additional information submitted by the Out-of-Network Provider, to the extent the information is credible and relates to the offer submitted by either party.

We are available to Out-Of-Network Providers seeking guidance regarding adhering to the IDR process.

Hot off the Press! The OIG Revises its Self-Disclosure Protocol for the First Time in Several Years

By Jeremy Burnette on Posted in Fraud & Abuse & False Claims Act, Health Care Providers, Hospitals & Health Systems, Medicare & Medicaid

For the first time since 2013, on November 8, 2021, the Department of Health and Human Services Office of Inspector General (“OIG”) updated its Health Care Fraud Self-Disclosure Protocol (“SDP”). The updated SDP makes several important revisions and clarifications that directly impact providers and suppliers who seek to self-disclose potential violations of healthcare fraud statutes to the government.

Importantly, the OIG emphasized that the benefits of such self-disclosure remain intact: Continue Reading

LexBlog