Healthcare Law Update – November 2023

On October 2, 2023, Attorney Generals in New Jersey, New York, and Georgia filed a complaint against Fresenius Vascular Care, Inc., one of its New York based executives, and several of its affiliates for allegedly performing medically unnecessary and potentially dangerous vascular interventions on Medicare and Medicaid recipients with end stage renal disease (ESRD). The defendants own, operate, and control a network of outpatient vascular care and ambulatory surgery centers in New Jersey, New York, and Georgia. For their own financial gain, they allegedly scheduled patients for appointments every three to four months to preserve their dialysis sites despite the defendants allegedly knowing that such procedures were not medically necessary. The patients were sedated and invasive procedures were performed on their veins and arteries. ESRD patients are often elderly people, people of color, and low-income individuals.

The defendants allegedly executed this scheme by ignoring medical records and falsifying patient records

On October 31, 2023, the New Jersey Office of the State Comptroller (OSC) released a report identifying 21 New Jersey adult medical day care providers (AMDCs) that improperly billed New Jersey Medicaid in an amount totaling $946,087.

The AMDCs violated Medicaid regulations by billing for more than five days in a week (Medicaid allows billing for only 5 days per week), billing for services for a beneficiary who was an inpatient at a different facility, and billing for services provided to a beneficiary when another AMDC also billed for the identical service on the same date. The report stated that these billing errors impacted the AMDC’s quality of care. If AMDCs cannot maintain accurate records showing when a patient is at a facility, there is risk that the AMDC does not know what services are being rendered or whether a patient is receiving medically necessary services. The report concluded that these overpayments were avoidable if AMDCs (1) carefully reviewed their documentation prior to submitting claims for payment to ensure they submit claims for services actually rendered and do not exceed the five day per week limit and (2) the New Jersey Division of Medical

The Department of Justice (DOJ) recently announced a new safe harbor policy for voluntary self-disclosures made in connection with mergers and acquisitions. Under the new policy, companies that timely and voluntarily self-disclose criminal misconduct uncovered during pre-acquisition due diligence or during the integration of a newly acquired business will receive the presumption of a declination of prosecution from the DOJ. To qualify under the new policy, acquiring companies must self-disclose criminal misconduct within six months from the closing date, cooperate with any DOJ investigation, and undertake full remediation of the misconduct within one year from the closing date, which may include restitution and disgorgement payments where applicable.

The new safe harbor policy serves as a means for acquiring companies to mitigate transactional risks and avoid potential legal liabilities, provided they maintain robust due diligence processes to swiftly uncover and report any misconduct to the DOJ. The policy is limited to misconduct within “bona fide, arms-length M&A transactions” and does not cover conduct that is already public, known to the DOJ, or otherwise requiring disclosure. The policy also does not impact civil merger enforcement. The presence of aggravating factors at the acquired company will not affect the acquiring company’s ability to receive a declination under the new policy. The DOJ may, upon request, extend the filing and remediation deadlines depending on the facts, circumstances and complexity of a particular transaction. The DOJ stressed that companies should not delay self-disclosure, particularly when national security implications are involved.

The safe harbor is designed to provide significant incentives for parties to potential transactions to disclose illegal conduct to the DOJ. The new policy will be applied department wide throughout all components of the DOJ and apply to transactions in all types of industries, including healthcare transactions. The new policy is not binding on other enforcement or regulatory authorities, and self-disclosed misconduct may still be pursued by other federal, state, local and foreign bodies. It remains to be seen how the DOJ will implement the policy and what implications the new safe harbor policy will have on existing voluntary self-disclosure rules.

On November 6, 2023, the US Department of Health and Human Services, Office of Inspector General (OIG) unveiled the General Compliance Program Guidance (GCPG), a significant update to its existing compliance guidance for various segments of the healthcare industry.

The GCPG provides assistance to health industry participants to voluntarily develop and implement programs to monitor their compliance with applicable laws, regulations, and requirements and to prevent fraud, waste, and abuse. The GCPG outlines seven crucial elements for an effective healthcare compliance program:

• comprehensive written policies, including employee conduct and risk reduction processes.
• compliance leadership, including a compliance officer, committee, and board oversight.
• annual training on compliance programs and associated risks.
• effective communication channels and a robust disclosure program with an emphasis on access, visibility, and anonymity for those reporting concerns.
• bifurcation of the enforcement process into repercussions for noncompliance and incentives for risk reduction.
• periodic evaluations of risk through assessing, auditing, and monitoring.
• response to detected offenses, emphasizing prompt investigation, timely reporting, and corrective action, considering specific reporting requirements under federal laws.

On October 27, 2023, the Departments of Health and Human Services, Labor, and the Treasury and the Office of Personnel Management issued a proposed rule to improve the functioning of the Federal Independent Dispute Resolution (IDR) process outlined in the No Surprises Act (NSA).

If finalized, the proposed rule would, among other things:

• Improve communication and information exchange during the open negotiation period before parties initiate the IDR process by requiring a party to notify the other party and the Departments about commencing the 30 business-day open negotiation period and requiring the other party to provide a response by the 15th business day of the open negotiation period.

• Encourage efficiencies in the IDR process by allowing batching of: (1) items and services furnished to a single patient on one or more consecutive dates and billed on the same claim form, (2) items and services billed under the same service code or a comparable code under a different procedure code system, and (3)

anesthesiology, radiology, pathology, and laboratory items and services billed under service codes in the same CPT code category, as specified by the Departments.

• Quicken eligibility determination by requiring certified IDR entities to determine whether a claim is eligible for the IDR process within 5 business days of final certified IDR entity selection and to notify both disputing parties and the Departments of such determination.

• Modify non-refundable administrative fee collection by requiring disputing parties to pay the fee directly, with the initiating party required to pay within two days of IDR entity selection, and the non-initiating party within two days of an eligibility determination notice. Failure to pay would result in dispute closure or non-consideration of an offer. The proposed rule also includes debt collection procedures for non-initiating parties failing to pay promptly.

• Amend the extenuating circumstances in which applicable periods of time may be extended by the Departments.

Interested parties have until January 3, 2023 to submit comments on the proposed rule.

On October 25, 2023, the Office of Inspector General (OIG) issued Advisory Opinion (AO) 23-08 in response to a cochlear implant manufacturer’s proposal to offer a “hearing bundle” and provide a free compatible hearing aid to eligible patients. Under the proposed arrangement, the hearing bundle would be purchased, the cochlear implant device would be implanted at a hospital or surgical center, and the free hearing aid would later be programmed and fitted by an audiologist. Receipt of the free hearing aid would be conditioned upon purchasing the cochlear implant device. The OIG determined that the proposed arrangement would implicate the federal Anti-Kickback Statute because the free hearing aid offered to patients may induce them to order and purchase the cochlear implant, which is reimbursable by federal healthcare programs. The OIG has longstanding and continuing concerns regarding free items because they can result in unfair competition with other manufacturers who may not be in a position to offer a similar benefit.

On October 10, 2023, the Drug Enforcement Administration (DEA) and the Department of Health and Human Services (DHHS) issued a second temporary extension of existing temporary flexibilities allowing providers to prescribe controlled substances via telehealth. This extension is a continuation of a policy that was initially implemented in 2020 in response to the COVID-19 pandemic, which temporarily exempted providers from federal rules requiring an in-person valuation before prescribing controlled substances. Under the new extension, these flexibilities will remain in place until December 31, 2024.

The DEA and DHHS issued the first temporary extension on May 10, 2023, allowing providers to prescribe controlled substances through telehealth to new patients until November 11, 2023, and to established patients until November 11, 2024, despite the conclusion of the

The Centers for Medicare & Medicaid Services (CMS) recently published a final rule to update the payment systems for the Medicare Hospital Outpatient Prospective Payment System (OPPS) and Ambulatory Surgical Centers (ASC) for calendar year 2024 (CY 2024). This rule sets payment rates and introduces policy changes that will affect services provided in hospital outpatient and ASC settings during CY 2024.

Under the final rule, CMS is implementing an overall 3.1% increase in OPPS and ASC payment rates, factoring in productivity adjustments. CMS estimates that total payments to OPPS and ASC providers for CY 2024 will be approximately $88.9 billion and $7.1 billion, respectively, taking into account factors such as beneficiary cost-sharing and anticipated changes in enrollment, utilization, and case mix. Goals of the final rule include promoting health equity, expanding access to behavioral health care, improving transparency in the health system, and fostering safe, effective, and patient-centered care.

The final rule places emphasis on quality reporting program requirements, with non-compliance potentially resulting in a 2% reduction in the CY 2024 fee schedule increase factor. Additionally, the final rule encompasses various policy changes, such as enhanced hospital price transparency requirements, the implementation of the intensive outpatient program benefit, and the inclusion of dental codes and procedures in the ASC-covered procedures list. Notably, the bundling policy for diagnostic radiopharmaceuticals remains unchanged, and CMS will maintain the statutory default rate for 340B-acquired drugs and biologicals.

Effective February 4, 2024, three of the New Jersey Department of Health’s (DOH) waivers/temporary rules granted during the Covid-19 pandemic will be revoked. The first waiver concerns permitting healthcare practitioners to provide services using telehealth/telemedicine for long term care facilities, assisted living facilities, and licensed health care facilities. The second waiver was issued for services related to providing home health services to patients outside of the approved license/geography and providing hospice services to patients outside the hospice service area. The third waiver relates to the requirement that ambulatory care facilities with a mobile van submit to the DOH a service schedule.

On October 27, 2023, Governor Murphy, in collaboration with the Department of Banking and Insurance, announced a grant award of $5,000,000 to the New Jersey State Navigator Grant Program. Navigator grants support organizations that provide training programs, and educational activities, and offer free, unbiased assistance to residents seeking to purchase insurance through the healthcare marketplace. This grant will be provided to 26 community organizations across New Jersey which will assist uninsured and underinsured residents in registering for healthcare coverage via the healthcare marketplace during open enrollment which began on November 1, 2023.

In the past three months, California Governor Gavin Newsom has signed into law two new pieces of legislation which further restrict non-compete clauses in California. Currently, a restrictive covenant is unlawful in California if it restrains a person from engaging in lawful profession, trade or business of any kind (subject to certain exceptions). SB699 was passed on September 1, 2023, and broadens the existing laws regarding non-compete clauses and further provides employees with legal remedies when employers attempt to enforce unlawful restrictive covenants. Employees will be permitted to seek injunctive relief, damages, or both when employers seek to enforce unlawful restrictive covenants. AB 1076 was passed on October 13, 2023 and makes it unlawful for an employer to include a non-compete clause in an employment agreement or to require an employee to enter into a non-compete agreement. Additionally, employers are required to provide notice to employees who have entered into an employment agreement with a non-compete clause or a non-compete agreement that was issued after January 1, 2022 that such clause or agreement is now void and no longer enforceable. Both new laws take effect on January 1, 2024.

Reason #1: The HIPAA Security Rule requires health care providers that are covered entities under HIPAA, and their business associates, to have in place a sanction policy. The policy must require that appropriate sanctions will be applied against members of the workforce who fail to comply with the organization’s HIPPA privacy and security policies and procedures or the requirements of the HIPAA Privacy Rule or Security Rule. When a workforce member violates such policies, procedures or requirements and sanctions are applied, the organization must document the sanctions that are applied, or document a decision not to impose sanctions.

Reason #2: According to the Department of Health & Human Services October 2023 OCR Cybersecurity Newsletter, “Sanction policies can improve a regulated entity’s compliance with the HIPAA Rules.” This is the case because:

“Imposing consequences on workforce members who violate a regulated entity’s policies or the HIPAA Rules can be effective in creating a culture of HIPAA compliance and improved cybersecurity because of the knowledge that there is “a negative consequence to noncompliance enhances the likelihood of compliance.” Training workforce members on a regulated entity’s sanction policy can also promote compliance and greater cybersecurity vigilance by informing workforce members in advance which “actions are prohibited and punishable.” A sanction policy that clearly communicates a regulated entity’s expectations should ensure that workforce members understand their individual compliance obligations and consequences of noncompliance.”

Reason #3: It makes good business sense. Not only can a documented and well-publicized sanction policy have the affect discussed above, but it also may in some cases help shield an employer from liability when terminating an employee for HIPAA infractions. Further, a sanction policy may help reduce or potentially negate governmental penalties that might be imposed as a result of the government’s investigation of a breach incident.

Additional Takeaways: Although HIPAA provides organizations with flexibility in crafting an appropriate sanction policy, plain vanilla sanction policies contained in employee handbooks may not be sufficient to appropriately address HIPAA violations. Organizations should review existing policies and amend or add sanction policies as needed. Such policies should, among other things, (i) establish a formal process for implementing and documenting sanctions; (ii) establish sanctions appropriate to the nature of the violation; and (iii) establish varying degrees of sanction (from warning to termination) depending on the severity of the violation, whether the violation was intentional or unintentional, and whether the workforce member demonstrates a pattern or practice of non-compliance.

Recently, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health & Human Services (DHHS) and the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group released a cybersecurity toolkit in a collaborative effort “to deliver tools, resources, training, and information that can help organizations” in the health and public health (HPH) sector with the daily cybersecurity issues faced by the HPH sector. Among the topics currently offered are:

• Know the Risks, Use Cyber Hygiene
• Strengthen Your Defenses and Mature your Cybersecurity Efforts
• Address Resource Constraints

The website offers related resources, including resources on cybersecurity best practices.

JOHN D. FANBURG
What advice can you share with a client who might need your services?
Many of my clients are physicians, physician groups and physician organizations. As physicians, they have been vigorously trained to document all aspects of patient care. My advice to my clients is to understand the importance of documenting their actions, comments, agreements and relationships with vendors, landlords and employees. It is important to maintain files of all important documents and ensure they are kept up to date in order to substantially reduce disputes and avoid unnecessary disagreements and litigation.

What are some best practices for healthcare clients?
Use your attorney as a member of your management team. Seek from your attorney not only legal advice but also business and strategic advice. As an attorney for over 40 years in the health care world, I have been a part of and witnessed many changes in the business of health care as well as significant regulatory changes. Using this experience, I am able to assist my health care clients by developing strategies for a more successful health care
enterprise.

VANESSA COLEMAN

What advice can you share with a client who might need your services?
When seeking legal counsel for your healthcare organization, clearly define your needs and prioritize professionals with expertise in healthcare law. Choosing legal professionals aligned with your organization’s values and needs is crucial for success and compliance. Encourage collaboration between your internal teams and legal counsel as this will ensure a comprehensive understanding of your organization’s operations and challenges. And just know that Brach Eichler LLC is well-equipped to address any legal needs your healthcare organizations may have.

What are some best practices for healthcare clients?
Healthcare clients should prioritize ongoing compliance, including regular training, risk assessments, and collaboration with legal counsel. They should emphasize patient privacy, ethical practices, and effective communication. Additionally, they should focus on adopting technology, community outreach, and continuous quality improvements that contribute to organizational success.

On October 26th, ROI-NJ announced that “Brach Eichler Names New Vice Chair of its National Healthcare Practice Group.” Congratulation Isabelle Bibet-Kalinyak!

On November 2nd, Brach Eichler was included in the “2024 Best Law Firm in New Jersey” list by Best Lawyers. The Healthcare Law practice has been ranked in Metropolitan Tier 1 for over 5 years!

On November 7th, Healthcare Law Chair John D. Fanburg and Member Carol Grelecki gave a regulatory update at The Radiological Society of New Jersey’s Annual Meeting.

On November 8th, Brach Eichler was a sponsor of the 2023 New Jersey Monthly Magazine “TopDocs Awards.” Congratulations to this year’s TopDocs!

On November 13th Brach Eichler’s Healthcare practice welcomed Michael C. Foster to the firm.

On December 6th, Healthcare law Chair John D. Fanburg will be moderating a panel about “Healthcare Mergers, Acquisitions and Affiliations” at the 2023 Withum Healthcare Symposium.

If you were unable to attend The New Jersey Healthcare Market Review (NJHMR) or missed any sessions and would like to revisit the insights shared please click here.