Healthcare Law Update – February 2023

On January 30, 2023, the Biden Administration announced its intent to extend the automatic expiration of both the national emergency and public health emergency declarations related to the Covid-19 pandemic that have been in effect since 2020. The national emergency is set to expire on March 1, 2023, and the public health emergency is set to expire on April 11, 2023. The Biden Administration is planning to wind down both declarations by extending the expiration dates to May 11, 2023. The wind down does not impose or change any existing rules or regulations regarding Covid-19 testing, masking, or vaccine mandates. In connection with this announcement, the Centers for Medicare & Medicaid Services (CMS) provided an updated factsheet for Medicare and Medicaid providers regarding how the end of the declarations will impact existing Covid-19 waivers and flexibilities that have been in existence since 2020.

CMS Announces the Growth of Three Initiatives To Increase ACO Participation

On January 17, 2023, the Centers for Medicare & Medicaid Services (CMS) announced the expansion of three existing accountable care initiatives: the Medicare Shared Savings Program (MSSP), the Accountable Care Organization Realizing Equity, Access, and Community Health (ACO Reach) Model, and the Kidney Care Choices (KCC) Model.

Accountable Care Organizations are groups of doctors, hospitals, and other healthcare providers, who collaborate to provide coordinated care to their Medicare beneficiaries. A brief description of each model is as follows:

• The Shared Savings Program is a permanent program in Medicare that was established by the Affordable Care Act. It is the largest accountable care initiative in the country. Policies finalized in the CY 2023 Medicare Physician Fee Schedule are expected to increase participation in the program, especially in rural and underserved areas.

• The ACO Reach Model aims to improve the quality of care through improved coordination and increased access to accountable care in underserved communities to close racial and ethnic disparities among people with traditional Medicare in accountable care relationships.

• The KCC Model focuses on coordinating care for Medicare beneficiaries with chronic kidney disease stages 4 and 5 and end-stage renal disease. The KCC Model also focuses on delaying the onset of dialysis and increasing access to kidney transplantation.

CMS is seeking to have all people with traditional Medicare in an accountable care relationship by 2030.

On January 30, 2023, the Centers for Medicare & Medicaid Services (CMS) released a final rule detailing how it will remedy overpayments to insurance companies administering Medicare Advantage Plans (MA Plans). The rule comes in response to audits of MA Plans from 2011 through 2013 that revealed inflation in the Risk Adjustment Data Validation (RADV) (CMS’s audit and oversight tool of MA Plans). CMS determined that the RADV was inflated because the medical diagnoses submitted for payment were not supported in the applicable medical record, resulting in significant overpayments to these MA Plans.

The enforcement action targeted fake diplomas sold to aspiring nurses who then were qualified to take the national nursing board exam. Upon passing the exam, these aspiring nurses obtained licensure as registered nurses or licensed practical/vocational nurses and eventually were employed and practiced nursing without the necessary education or clinical training. More than 7,600 fake nursing degrees were issued to aspiring nurses from three Florida-based schools, Siena College, Palm Beach School of Nursing, and Sacred Heart International Institute. While these schools are now closed, the DOJ, OIG, and FBI are jointly working to identify nurses who improperly obtained these degrees and licenses and are now working in healthcare facilities. New Jersey is among the states where law enforcement is investigating and annulling nursing licenses obtained as a part of this scheme.

On December 15, 2022, the owner of a durable medical equipment company was indicted in New Jersey for allegedly offering and paying illegal kickbacks and money laundering.

The company owner allegedly paid illegal kickbacks to telemedicine and marketing companies in exchange for physician orders for orthotic braces and continuous glucose monitors for Medicare beneficiaries. The owner and co-conspirators allegedly concealed these payments by entering into sham contracts and producing false invoices for “marketing” services. As a result, Medicare paid more than $17.3 million based on these fraudulent and false claims.

If convicted, the owner faces a maximum penalty of five years in prison for conspiracy to defraud the United States and offer and pay health care kickbacks, ten years in prison for each count of offering and paying health care kickbacks, and ten years in prison for money laundering conspiracy. The OIG and FBI are investigating this case.

On December 27, 2022, the Centers for Medicare and Medicaid Services (CMS) issued a proposed rule that could materially modify the obligations of providers participating in the Medicare program to report and return overpayments. The overpayment rules require a provider that receives an overpayment to report and return the overpayment by the later of 60 days after the provider identifies the overpayment or the date of any corresponding cost report that is due.

The current overpayment rule applies a “reasonable diligence” standard under which a provider is deemed to have identified an overpayment when the provider has, or should have through the exercise of reasonable diligence, identified that they received an overpayment and determined the amount of the overpayment. If finalized, the proposed rule would eliminate the “reasonable diligence” standard and replace it with a “knowing” standard established under the False Claims Act (FCA), under which providers would only be deemed to have identified an overpayment if they had actual knowledge of the existence of the overpayment or acted in reckless disregard or deliberate ignorance of such overpayment knowledge standard. The proposed rule would also eliminate the requirement that an overpayment must be quantified before the 60-day reporting requirement is triggered.

The proposed rule would apply to all claims submitted under Medicare Parts A, B, C, and D. The proposed rule is influenced by the outcome of UnitedHealthcare Ins. Co. v. Azar, in which the court noted that the use of the “reasonable diligence” standard in identifying overpayments conflicted with the “knowledge” standard in the FCA and improperly created liability for mere negligence, and CMS does not have the legislative authority to apply more stringent standards to impose FCA consequences through regulation.”

Assembly Bill 5055, introduced in the New Jersey General Assembly on January 12, 2023, would require healthcare facilities and professionals to provide the parent or guardian of an unemancipated minor patient access to the patient’s medical records without authorization from the minor patient. This right of access would not apply where a minor appears to have been sexually assaulted and the treating physician determines that it would not be in the minor’s best interests to notify the parent or guardian, a minor seeks treatment for a substance use disorder, or a minor is over 16 years of age and is seeking temporary outpatient behavioral health treatment.

Assembly Bill 256 passed in both houses of the New Jersey Legislature on January 26, 2023, and now awaits being signed into law by Governor Phil Murphy. If signed into law, this bill would require healthcare facilities licensed by the Department of Health to adopt and implement policies for use of smoke evacuation systems for the prevention of exposure to surgical smoke generated during some surgical procedures. The bill would not apply to long-term care, adult medical day care, home health, and psychiatric hospitals.

On February 1, 2023, the Federal Trade Commission (FTC) issued a press release announcing:

The [FTC] has taken enforcement action for the first time under its Health Breach Notification Rule against the telehealth and prescription drug discount provider [and vendor of personal health records] GoodRx Holdings Inc., for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies. In a first-of-its-kind proposed order, filed by the Department of Justice on behalf of the FTC, GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purpose, and has agreed to pay a $1.5 million civil penalty for violating the rule. The proposed order must be approved by the federal court to go into effect.

The FTC alleged that GoodRx shared sensitive personal health information with advertising companies and platforms, contrary to its privacy promises, and failed to report such unauthorized disclosures as required by the Health Breach Notification Rule. The FTC alleged GoodRx:

• Shared personal health information with Facebook, Google, Criteo, and others

• Used personal health information to target its users with advertisements

• Failed to limit third-party use of personal health information

• Misrepresented its HIPAA compliance, and

• Failed to implement policies to protect personal health information.

In September 2021, the FTC issued a policy statement specifically affirming that health apps and connected devices that collect the health data of consumers must comply with the Health Breach Notification Rule, which requires, among other things, that those subject to the rule notify consumers and others when consumers’ health information is breached.

It is also interesting to note that this action follows the recently-published guidance from the Department of Health & Human Services, Office for Civil Rights on the use of online tracking technologies by HIPAA-covered entities and business associates. See our prior Health Law Update article on this topic here.

The U.S. Department of Justice (DOJ) announced its “months-long disruption campaign against the Hive ransomware group that has targeted more than 1,500 victims in over 80 countries around the world, including hospitals, school districts, financial firms, and critical infrastructure.” Part of the disruption included the FBI’s penetration of Hive’s computer networks, capturing its decryption keys and providing them to victims to unlock affected systems and avoid payment of $130 million in demanded ransom. The DOJ stated that the group received over $100 million through its “double-extortion model of attack” of exfiltrating or stealing sensitive data before encrypting the victim’s systems, through the use of a ransomware-as-a-service (RaaS) model. Among the methods used by the attackers to gain access to the victim’s systems were phishing schemes and emails with malicious attachments.

One takeaway from this announcement is the importance of implementing recognized security practices that are intended to address and prevent the top cyber threats against the healthcare system. This includes having in place a robust security program, including HIPAA Security Rule policies and procedures, implemented practices, ongoing monitoring, and effective training initiatives that address security best practices and avoidance of ransomware attacks and phishing and email schemes.

KEITH ROBERTS
Briefly describe a recent significant transaction, win or client victory.
In a complex RICO action filed by a major insurance carrier alleging insurance fraud against a New York medical supplier, our litigation team successfully defended the matter to resolution, defeating the substantive allegations filed against our client. Our zealous efforts throughout the discovery process, including production and inspection of certain medical equipment at issue, exposed the weakness of the insurance carrier’s case thereby forcing the Plaintiff to abandon an exorbitant claim for damages. Here, we have another more than satisfied Brach Eichler client. Results matter.

Why did you choose to focus your legal practice on healthcare law and the healthcare industry?
Healthcare is an evolving field, with constant changes in both statutory and regulatory authority. My vast experience as a trial lawyer, coupled with my training in healthcare law at Brach Eichler, uniquely positions me to navigate complex legal issues for my clients, and nothing gives me greater satisfaction. My litigation team at Brach Eichler is now a deep bench fully capable of handling complex commercial disputes in healthcare, restrictive covenant litigation, RICO actions, fraud and abuse matters, state board disciplinary proceedings , practice disputes, medical staff matters, closely held corporate disputes, and insurance carrier investigations to include private and Medicare coding audits – to name a few. In short, there is nothing we would rather do than assist a medical provider in need of quality legal representation. We love our jobs.

SALLY OLSON
Briefly describe a recent significant transaction, win or client victory.
I was recently involved in a transaction with a large hospital system and their acquisition of a multi-state pathology group. While lengthy and multi-faceted, we successfully completed the transaction and met the client’s goals. Having the opportunity to work on a transaction like this has been an invaluable and extremely rewarding experience.

Why did you choose to focus your legal practice on healthcare law and the healthcare industry?
As an undergraduate, I knew I wanted to do something in healthcare as it is a constantly evolving industry. After falling in love with my coursework in law and bioethics, I pursued law school with the hope of one day practicing health law. My summer associate position at Brach Eichler coupled with the health law classes I took in law school solidified this decision. So far, this field is fascinating and every day has presented a new challenge.

On February 23rd Healthcare Law Member Edward Yun joined APALA’s “Pathways to Partnership” Panel.

From February 15 to 18, Healthcare Law Member Isabelle Bibet-Kalinyak spoke at the comprehensive CME meeting, “Telling It Like It Is,” in Tampa, Florida! Isabelle provided legal insights related to the speakers’ topics, including cybersecurity, protecting your practice against embezzlement, the expanding critical role of analytics, staff shortages, life after private equity transactions, in-office retail sales, and more.”

On February 13, Labor and Employment Co-Chair Matthew M. Collins along with Jay Sabin issued a client alert about “New Jersey’s Expanded WARN Law About to Take Effect.”

On February 10, Managing Member and Healthcare Law Chair John D. Fanburg was named to ROI-NJ’s Influencers: Power List in Law for being “long recognized as a top expert in health and hospital law.”

On January 31, ROI-NJ published an article “Brach Eichler promotes seven attorneys to member.”

Join us for the 12th Annual New Jersey Healthcare Market Review, September 28-29, 2023 at the Borgata Hotel Casino & Spa, Atlantic City, NJ! Connect with over 200 attendees comprised of hospital and ASC executives and stakeholders, physicians, practice owners/managers, and healthcare administrators. During this two-day event, industry experts will discuss timely topics and trends in the healthcare and legal space ranging from legislative issues to operating and business strategies for greater profitability. To learn more and register, please visit www.njhmr.com. For questions or additional information, please reach out to Ilana Schackman at ischackman@bracheichler.com.