Healthcare Law Update – November 2022

On October 21, 2022, the Centers for Medicare & Medicaid Services (CMS) announced that the oversight policies for the Special Focus Facility (SFF) program have been revised to improve the care that nursing homes deliver. The SFF program identifies the poorest performing nursing homes in the country for increased scrutiny to immediately improve the quality of care that is delivered. The facilities in the SFF program are inspected approximately twice as often as all other nursing homes, no less than once every six months, and face severe enforcement actions if improvement is not demonstrated. Facilities must pass two consecutive inspections to complete the program. Currently, 88 nursing homes, approximately 0.5% of all nursing homes in the country, participate in the SFF program.

Revisions to the SFF program include:

• Requiring nursing homes to demonstrate systemic improvements in quality to graduate from the SFF program.

• Terminating federal funding for facilities that don’t improve.

• Imposing more severe enforcement remedies for non-compliant facilities.

• Incentivizing sustainable improvements.

• Considering staffing levels and compliance history when selecting candidates for the SFF program.

• CMS is encouraging facilities to make good-faith efforts to improve quality and measurable changes, such as changes in staffing, leadership, or increased overall staffing. These efforts will be considered when evaluating potential enforcement actions for noncompliance.

The Centers for Medicare & Medicaid Services (CMS) recently issued a final rule that provides updates and policy changes for Medicare payments under the Physician Fee Schedule (PFS) for calendar year (CY) 2023. The final rule also updates the Medicare Shared Savings Program for CY 2023, including updates to the Quality Payment Program that make several additional optional merit-based incentive payment pathways available to providers.

The final rule sets the PFS conversion factor at $33.06 per relative value unit (RVU), which represents a decrease of $1.55 from CY 2022, which is primarily due to the expiration of a temporary 3% statutory increase that was implemented for CY 2022 as a result of the challenges posed by the COVID-19 pandemic. The final rule also includes updates to codes and coding guidelines for Evaluation and Management (E/M) services in furtherance of CMS’s efforts to reduce the administrative burden of billing for E/M services. CMS

also delayed for one year the implementation of policies modifying how providers bill for split or shared E/M visits.

The final rule includes policy changes related to reimbursement for Medicare telehealth services, including providing an extension of Medicare coverage for several types of telehealth services that were made temporarily available as a result of the COVID-19 public health emergency. The final rule also incorporates revisions to existing regulations that are intended to provide better access to behavioral health services for Medicare beneficiaries, allowing certain behavioral health services that are administered by auxiliary personnel, such as licensed professional counselors and licensed marriage and family therapists, to be provided under the general, as opposed to direct, supervision of a physician.

Other highlights of the final rule include updates to payment rates for both the drug and non-drug components of opioid treatment programs; allowing Medicare beneficiaries direct access to an audiologist for non-acute hearing conditions without an order from a physician; clarifying payment policies for dental services, which are only covered under Medicare when they are an integral part of specific treatment of a beneficiary’s covered medical condition; and expanding Medicare coverage for certain colorectal cancer screening tests by reducing the minimum age for coverage and expanding what services are included within the definition of covered colorectal cancer screening tests.

An October 5, 2022, the Department of Health and Human Services, Office of Inspector General (OIG) published Advisory Opinion 22-19 finding that a proposed arrangement where drug manufacturers, through a non-profit entity, provide certain types of cost-sharing and premium subsidies for Medicare Part D beneficiaries would implicate the federal Anti-Kickback Statute (AKS) if the requisite intent were present, but would not trigger civil monetary penalties for beneficiary inducements (CMP).

Under the proposed arrangement, the drug manufacturers would:

1. finance all of the non-profit entity’s operating costs;

2. fund, through the non-profit entity, specified programs, and eligible beneficiaries’ health insurance premiums; and

3. fund, through the non-profit entity, cost-sharing subsidies for the manufacturers’ drugs covered under Medicare Part D.

Part D beneficiaries would be eligible for cost-sharing subsidies if they were diagnosed with cancer, have a household income between 150-350% of the federal poverty level (FPL), and were prescribed an oncology drug of one of these drug manufacturers covered by their Medicare Part D Plan.

The OIG concluded that the proposed arrangement would generate unlawful remuneration under the AKS if the requisite intent were present. The OIG determined that the cost-sharing subsidies indirectly provided by the drug manufacturers to eligible Part D beneficiaries would constitute remuneration that could induce the purchase of an item reimbursable under a federal health care program. Additionally, the OIG concluded that these cost-sharing subsidies would not meet any statutory exception or regulatory safe harbor under the AKS and “present more than a minimal risk of fraud and abuse.”

However, the OIG concluded it would not impose sanctions under the CMP, which sets forth civil penalties for anyone who offers or transfers remuneration to a Medicare or Medicaid beneficiary that is likely to influence the beneficiary’s selection of a particular provider, practitioner, or supplier for an item or service payable by Medicare or Medicaid. The OIG noted that neither the non-profit entity nor the drug manufacturers are a provider, practitioner, or supplier. The OIG concluded that because the cost-sharing subsidies would be available to any pharmacy willing to accept the subsidies without regard to a Part D beneficiary’s choice of provider, practitioner, or supplier, the remuneration that would be offered likely would not influence a beneficiary’s selection of a particular provider, practitioner, or supplier.

Advocate Aurora Health, an integrated nonprofit healthcare system, alerted its 3 million patient base and the Department of Health and Human Services that pieces of code known as “pixels,” an internet tracking tool, or similar technologies installed on its patient portals, transmitted certain patient information to Meta Platforms, Inc. (formerly known as Facebook), the provider of pixel technology. Aurora explained that sensitive information such as the names of patients and providers, IP addresses, and dates and locations of scheduled appointments were among the information which was transmitted to Meta. Aurora has disabled and/ or removed the pixels from its platforms and launched an internal investigation to better understand what patient information was transmitted.

Although Aurora representatives have stated that the pixels were unlikely to result in identity theft or financial harm to patients, a class action suit was filed against Meta and Aurora on October 28, 2022 in U.S. District Court in Chicago alleging violations of the Electronic Communications Privacy Act, the Stored Communications Act, and the Health Insurance Portability and Accountability Act of 1996 by “knowingly and repeatedly intercepting, accessing and disclosing” personal and sensitive health information.

On October 26, 2022, the Centers for Medicare & Medicaid Services (CMS) issued revised guidance regarding COVID-19 immunization requirements for staff at Medicare and Medicaid-certified long-term care and skilled nursing facilities. The previous guidance, which CMS published earlier this year, required that 100 percent of all staff at applicable facilities must comply with applicable Centers for Disease Control and Prevention (CDC) COVID-19 vaccination requirements, and provided that noncompliance could lead to termination of Medicare and Medicaid participation. Citing relatively low-trending COVID-19 hospitalizations and deaths, the new guidance allows for more flexible staff vaccination requirements and enforcement.

Under the new guidance, a facility is deemed noncompliant with vaccination requirements if vaccination rates fall below 100 percent for all staff who do not meet an exception to CDC vaccine requirements, as opposed to the 100 percent of all staff requirements of the previous CMS guidance. This revised guidance aligns the vaccination requirements for long term care and skilled nursing facility staff with the requirements for the staff of other types of Medicare and Medicaid-certified facilities. The revised guidance also provides for a more balanced enforcement scheme that takes into account the scope and severity of noncompliance, including whether the facility demonstrates a good faith effort to correct noncompliance based upon a plan of correction that the facility submits to CMS, with the harshest penalties being issued for the most egregious forms of non-compliance.

In a recent settlement with the United States Department of Justice (DOJ), Modernizing Medicine (ModMed), an electronic health record technology provider, agreed to pay $45 million to resolve allegations that it violated the federal False Claims Act and the federal Anti-Kickback Statute by accepting and providing unlawful remuneration in exchange for referrals and by causing its users to report inaccurate information in connection with claims for payments from federal incentive programs. ModMed previously paid $63.5 million to the DOJ in 2009 to resolve separate allegations that ModMed violated the Anti-Kickback Statute and the federal law prohibiting self-referrals known as the Stark Law by providing referring physicians with subsidies for EHR systems and free or discounted technology consulting services.

According to the DOJ’s complaint, ModMed violated the False Claims Act and the Anti-Kickback Statute through three separate marketing programs. The DOJ alleged that ModMed solicited and received kickbacks from Miraca Life Sciences, Inc, a pathology laboratory company, in exchange for recommending Miraca’s services to its users. According to the DOJ, ModMed also conspired with Miraca to improperly donate electronic health records to healthcare providers to increase lab orders for Miraca and add to ModMed’s customer base. The DOJ also claimed that ModMed paid kickbacks to its healthcare provider customers and other parties in the healthcare industry in exchange for recommending

On November 1, 2022, the New Jersey Department of Banking and Insurance (DOBI) approved an application by Horizon Blue Cross Blue Shield of New Jersey (Horizon) to reorganize its corporate structure to a nonprofit mutual holding company. The approval is subject to 11 conditions imposed by DOBI to ensure that Horizon acts in the interest of its 3.7 million members and maintains financially safe and sound insurance subsidiaries.

Notable conditions set forth by DOBI include an obligation to continue to offer comprehensive medical coverage in every county in the state; a dividend moratorium for three years; minimum risk-based capital (RBC) requirements for subsidiaries or affiliates of Horizon above authorized control level RBC; a parental guarantee to maintain their minimum RBC; and a requirement to submit quarterly reporting of enterprise-wide RBC.

Horizon provided in its application that, because of its corporate structure, Horizon was previously restricted from investing more than 2% of its reserves in any single venture. The reorganization lifts this restriction on Horizon’s reserves and allows Horizon to invest more freely in nonprofit and for-profit projects. Horizon further provided in its application that behavioral health and critical substance abuse would be areas it would have greater latitude to invest after its reorganization.

A New Jersey federal Court recently dismissed a healthcare network’s claim against its liability insurance provider for business interruptions caused by the COVID-19 pandemic. Inspira Health Network (Inspira), a leading healthcare provider in South Jersey with three hospitals, two cancer centers, and several multi-specialty centers, filed suit against American Guarantee and Liability Insurance Company (AGLI), arguing that AGLI should cover losses incurred by Inspira resulting from government shutdown orders that blocked access to certain parts of Inspira’s properties because of the threat of COVID-19, which resulted in an estimated $20 million in lost revenue.

In its ruling to dismiss Inspira’s suit, the Court found that Inspira did not establish a viable claim that the shutdown orders prohibited access to its properties, which was required for business interruption coverage under their policy with AGLI, and that while the shutdown orders restricted certain activities at Inspira locations, the orders did not entirely prohibit access. In making its decision, the Court relied on decisions in similar cases brought by health networks in other jurisdictions, most notably a July 2021 decision in the Southern District of New York relating to a claim filed by Northwell Health, New York’s largest healthcare system, where the Court found that Northwell failed to show a physical loss to its properties as a result of the government shutdown orders.

Assembly Bill 4829, introduced in the New Jersey Senate on October 24, 2022, would require the New Jersey Department of Health (DOH) to create a website with information on reproductive rights. The website would be required to include comprehensive information on women’s reproductive rights under federal and state law and under health insurance plans, including the right to emergency care; birth control; hyperlinks to websites that register the uninsured for health care benefits; and information on where and how to file a complaint if rights are violated.

JOHN D. FANBURG

Briefly describe a recent significant transaction, win or client victory.

Around holiday time last year, multiple practice areas within the Firm combined efforts to advise our client in order to do what was required to close on a sale transaction by the end of the year. The Firm represented a large orthopedic medical practice located in New Jersey, in a transaction which involved the sale of a multi-doctor, multi-office orthopedic practice. The transaction was multi-faceted and complicated due to the seller needing to obtain regulatory approvals, the need to complete a corporate reorganization of the seller in order to properly deal with tax and corporate issues in the transaction and negotiation of numerous transaction documents and employment agreements, and assignment of multiple office leases.

Why did you choose to focus your legal practice on healthcare law and the healthcare industry?

I was very fortunate to grow up with two sets of grandparents. One grandfather was a physician and the other grandfather was an attorney. As such, based upon my interests in “law” school, I veered towards law in tribute and in honor of my affection for my “lawyer” grandfather. In 1982, I interviewed for a summer position with Burt Eichler and Barry Ostrowsky, who were the “founders” of health care law in the state of New Jersey. Having the opportunity to work with them was a dream come true.

ERIKA MARSHALL

Briefly describe a recent significant transaction, win or client victory.

As part of a collaborative team within the Brach Eichler health department, I represented a retina practice in its sale to a private equity firm. As part of the transaction, I ensured proper transfer of clinical and non-clinical assets and the protection of the retina specialist’s interests as they became equity members of the management services company. Through our diligent efforts and attention to detail throughout the course of negotiations, our client and the private equity firm are now working as a unified business team to promote and grow their new business venture.

Why did you choose to focus your legal practice on healthcare law and the healthcare industry?

I initially began my career as a malpractice attorney and transitioned to the transactional healthcare practice as I found the law in this sector to be constantly evolving due to technology, ethics, and public policy. This ever-changing landscape is intriguing as it requires me to look at the issues from different angles to find the best possible solutions for our clients.

On October 31, 2022, the last day of National Cybersecurity Awareness Month, the U.S. Department of Health & Human Services (DHHS), Office for Civil Rights (OCR) published a new video presentation on “Recognized Security Practices” to assist HIPAA covered entities and business associates. Topics covered in the video include:

• The 2021 HITECH Amendment regarding recognized security practices
• How regulated entities can demonstrate that recognized security practices are in place
• Details about the evidence of recognized security practices that may be requested by OCR in the event of a HIPAA Security Rule investigation or audit
• Where to find more information about recognized security practices
• Answers to a selection of questions submitted to OCR in June 2022 on recognized security practices.

By way of background, on January 3, 2020, the Health Information Technology for Economic and Clinical Health (HITECH) Act was amended, creating a kind of “safe harbor” for HIPAA covered entities and their business associates when facing potential fines and other penalties under HIPAA. If the covered entity or business associate can “adequately demonstrate” to the Secretary of DHHS that it had “recognized security practices” in place for at least the 12 month period prior to the conduct in question—HIPAA violation, breach event or audit—the Secretary may determine to mitigate any fines to be assessed, favorably terminate early an audit that has been undertaken, or mitigate the remedies in any settlement agreement that may be entered into between the covered entity or business associate and the government. In short, a covered entity or business associate that has experienced a data breach incident and is responding to the related DHHS investigation and document requests, or is otherwise under a HIPAA audit or investigation, may be able to reduce or eliminate fines and penalties if it can sufficiently demonstrate its implementation of recognized security practices.

• Took longer to assemble a response team
• Took longer to stop the attack
• Took longer to recover from the attack
• Lost more money
• Took longer to assess the scope of the attack.

As part of the study, Cybereason asked organizations what steps they are taking to address the heightened ransomware threat. Responses included that organizations are planning to implement new detection capabilities specifically for ransomware that have better detection efficacy (38%), are augmenting staff so they can respond faster (31%), are pursuing automation to accelerate attack detection and response (29%), are learning to negotiate with ransomware actors (27%), and are setting up cryto wallets in the event they decide to pay (27%).

The bottom line: targeted victim organizations are more vulnerable to cyber attacks during off-hours, including weekends and holidays. Cybereason recommends that organizations:

• Explore different staffing models for security operations center analysts and incident responders—look to hospital emergency rooms or other emergency response organizations for models.

• Identify optimal staffing for weekends and holidays— what’s the least amount of coverage you can get away

Took longer to assemble a response team with and still reduce risk?

• Pursue a managed detection and response (MOR) strategy—augment existing staff with expert, third party 24/7/365 coverage.

• Lock down privileged accounts during off-peak hours— highest privilege accounts are rarely used on weekends and holidays.

• Implement clear isolation practices—to prevent attackers from making any further ingress on the network and from spreading the ransomware to other devices.

• Replace traditional antivirus products with next generation antivirus and endpoint detection and response solutions—look specifically for behavior-based tools capable of identifying ransomware attacks in their earliest stages, based on suspicious behaviors the tools are seeing across the organization’s network.