OCR Releases Ebola Bulletin

This post was written by Jennifer Pike.

The recent Ebola outbreak has prompted the US Department of Health and Human Services, Office for Civil Rights (“OCR”), the agency responsible for enforcing the Health Insurance Portability and Accountability Act (“HIPAA”), to release a new bulletin for covered entities and business associates regarding their privacy obligations in emergency situations. The bulletin, entitled “HIPAA Privacy In Emergency Situations,” provides an overview of the limited ways in which covered entities and business associates may use and disclose protected health information in emergencies, such as the Ebola outbreak. The bulletin is available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/hipaa-privacy-emergency-situations.pdf.

Insights About Future Use of Protected Health Information Under HIPAA

How will Protected Health Information (PHI) be used in the future? Reed Smith partner Brad Rostolsky strives to answer this question in “HIPAA Enforcement: The Next Step,” an interview and accompanying article that appeared on HealthcareInfoSecurity on October 14th. The article discusses a number of trends predicted for the near future stemming from the HIPAA Omnibus Rule introduced last year, such as an increase in the number of investigations by the Department of Health and Human Services’ Office for Civil Rights regarding the illegal use, disclosure, and sale of PHI without patient authorization, particularly when used for marketing and fundraising purposes. The article also provides recommendations for companies preparing for HIPAA compliance audits, privacy concerns related to the use of consumer health information on social media, and potential HIPAA privacy issues involving wearable consumer health devices.

To listen to the interview and read the article, click here.

Reed Smith Team Analyzes OIG's Proposed Rule Amending Anti-Kickback Safe Harbors, CMP Rules & Gainsharing Regulations

The Office of Inspector General (OIG) of the Department of Health and Human Services published a major proposed rule on October 3, 2014 amending the Anti-Kickback Statute (AKS) safe harbors and the Civil Monetary Penalty (CMP) rules to protect a number of payment practices not previously allowed under those regulations. The proposed rule and the effects it would have on the AKS safe harbors and CMP rules are analyzed in a client alert written by Reed Smith attorneys Elizabeth Carder-Thompson, Scot Hasselman, Bob Hill, Carol Loepere, Paul Pitts, Sal Rotella, Susan Edwards, Katie Hurley, and Katie Pawlitz, and senior health policy analyst Deb McCurdy.

Among the payment practices that would be covered by the amended AKS safe harbors are certain cost-sharing waivers, manufacturer discounts for drugs provided to Medicare Coverage Gap Discount Program beneficiaries, and certain free or discounted local transportation services incentives. In addition, the CMP rules would clarify the definitions of “remuneration” to allow for, among other things, decreased copayments for certain hospital outpatient services, certain retailer reward programs, and waivers of copayments for the initial fill of a generic drug. The proposed rule also includes a proposal to codify the “gainsharing” CMP rule, which prohibits certain hospitals from intentionally compensating physicians to reduce or limit services to Medicare or Medicaid patients.

The authors note that a rule of this nature appears to be an acknowledgment by the OIG that the evolution of health care delivery in the United States has required the agency to become more flexible in regards to enforcing certain aspects of fraud and abuse regulation.

Comments on the proposed rule are being accepted by the OIG through December 2, 2014.

To read the client alert, click here.

OIG Warns About Ineligibility of Health Care Program Beneficiaries for Pharmaceutical Coupon Programs

The Office of Inspector General (OIG) of the Department of Health & Human Services issued a Special Advisory Bulletin (SAB) on September 19, 2014 discussing the coupon programs employed by many pharmaceutical manufacturers to reduce or entirely eliminate patient copayments to obtain brand-name drugs. As mentioned on our Health Industry Washington Watch blog, the SAB cautions that there are several risks associated with manufacturers utilizing such coupon programs, and that the manufacturers must make efforts to prevent federal health care program beneficiaries from using the coupons if they wish to avoid these risks. Among the potential issues that can arise from an improperly-regulated coupon program are violations of the Anti-Kickback Statute (when programs – which qualify as remuneration – are purposely paid with the intent to encourage the use of items or services payable by a federal health care program) and False Claims Act (when a claim includes items or services resulting from a kickback violation). While the SAB’s focus is on manufacturer coupon practices, in a footnote, the OIG states that pharmacies accepting coupons for Part D copayments may also be subject to these sanctions.

To read the entire post, click here.

OIG Advisory Bulletin Addresses Independent Charity Patient Assistance Program Risks

Patient Assistance Programs (PAPs) provide important help to patients of limited means who do not have insurance coverage for drugs and need assistance covering drug costs, often for chronic illnesses. The Office of the Inspector General (OIG) of the Department of Health and Human Services has now issued an advisory bulletin, dated May 21, 2014, intended to expand existing OIG guidelines related to PAPs, which can give rise to anti-kickback statute issues in some circumstances.

The new advisory bulletin, which is summarized in a client alert by Reed Smith partner Joe Metro and summer associate Peter Vogel, focuses specifically on Independent Charity PAPs. Among the issues discussed are the relationship between donors and Independent Charity PAPs, Independent Charity PAPs’ definitions of disease funds and eligible recipients, and the potential illegality of donor actions in relation to support for their own products. The OIG has stated that it will be working with PAPs that previously received advisory opinions to identify potential changes that could provide some clarity to these issues.

OIG Proposes Amendment of Health Care Program Civil Monetary Penalty Regulations

The Office of Inspector General (OIG) of the Department of Health and Human Services has issued a proposed rule that would institute several changes to the health care program civil monetary penalty (CMP) regulations. Under the proposed rule, which is analyzed in a client alert prepared by Reed Smith lawyers Paul Pitts, Joe Metro, and Susan Edwards, the OIG would have the expanded authority to enforce significant CMPs on providers and suppliers in a variety of scenarios.

In addition, the rule proposes a reorganization and clarification of current CMP regulations, including the methods used to determine when and how a CMP should be issued and how a CMP should be calculated. The OIG estimates that enforcement of the proposed rule would result in an increase in CMP collections by the government. Comments on the rule are due by July 11, 2014.

Exclusion Rules For Those Who Receive Funds From Federal Health Care Programs May Get Even More Complicated

The Office of Inspector General (OIG) of the Department of Health and Human Services identifies the underlying purpose of its exclusion authority as to protect federal health care programs and their beneficiaries from “untrustworthy health care providers, i.e., individuals and entities who pose a risk to program beneficiaries or the integrity of these programs.” The OIG now has published a new proposed rule that would greatly expand the bases upon which it could affirmatively exclude an individual or entity from participation in federal health care programs, and Reed Smith lawyers Carol Loepere, Elizabeth Carder-Thompson, Scot Hasselman, Katie Hurley, and Erin Atkins have prepared a full summary of this proposed rule.

In particular, this summary examines the OIG’s position that there should be no statute of limitations applicable to when it may seek exclusion, because limitless look-back authority could place a tremendous burden on providers and suppliers if their conduct and compliance efforts are second-guessed many years into the future, when supporting documentation and witnesses are long gone. The proposed rule also revises relevant definitions, provides new grounds for exclusion, proposes procedures for early reinstatement, among other things, and is a by-product of provisions of the Affordable Care Act, which expanded the OIG’s exclusion authority and allowed for testimonial subpoenas in investigations of exclusion cases.

Recent OCR Enforcement Activities Cause Serious Case of Déjà Vu: Theft of Unencrypted Laptops Leads to Two Separate HIPAA Settlements

This post was written by Brad Rostolsky, Nan Bonifant and Jillian Riley

We have heard this story before: unencrypted laptop containing electronic protected health information (ePHI) is stolen. The covered entity’s subsequent breach self-report triggers not only an incident investigation by the Department of Health and Human Services, Office for Civil Rights (OCR), but a de facto HIPAA compliance audit as well. While the covered entities involved change, the consequences and enforcement message remain the same.

Now, two more covered entities have settled potential violations of the HIPAA Privacy and Security Rules arising from the theft of unencrypted laptops by paying a total of $1,975,220, and agreeing to continued oversight by OCR through Corrective Action Plans (CAPs). In both instances, the breaches were self-reported and the settlements resulted from OCR’s subsequent investigations.

On December 28, 2011, Concentra Health Services (Concentra), a national health care provider and subsidiary of Humana Inc., reported to OCR that an unencrypted laptop was stolen from one of its facilities. OCR’s subsequent investigation revealed that while Concentra previously recognized that a lack of encryption on laptops, desktops, medical equipment, and tablets presented a critical risk to ePHI, Concentra failed to fully implement necessary steps to address those vulnerabilities. OCR’s investigation further found that Concentra had insufficient security management processes in place to ensure proper safeguarding of patient information. Concentra paid OCR $1,725,220 to resolve these alleged HIPAA violations and will adopt a CAP to evidence their remediation efforts.

The second settlement, which resulted in a $250,000 payment to OCR, stemmed from the theft of an unencrypted, stolen laptop from an employee’s car on October 8, 2011. The laptop, belonging to a workforce member of QCA Health Plan, Inc. of Arkansas (QCA), contained the ePHI of 148 individuals. While QCA instituted company-wide device encryption following discovery of the breach, OCR’s subsequent investigation revealed that QCA had failed to comply with multiple requirements of the HIPAA Security Rule, beginning from the Rule’s compliance date in April 2005. In addition to the monetary settlement amount, QCA agreed to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce risks to vulnerabilities of its ePHI. QCA also agreed to retrain its workforce and document its ongoing compliance efforts.

Unfortunately, as the proliferation of portable devices in the health care industry increases, the question for most covered entities is not if a laptop or mobile device will be stolen, but when. Encryption not only provides a safe harbor under the Breach Notification Rule, but it has also become a practical necessity to HIPAA compliance. Failure to address encryption of portable devices in Security Rule risk analyses and, in most cases, failure to implement some form of encryption, will continue to expose covered entities (as well as business associates) to significant compliance risk.

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

D.C. Circuit Rules in Favor of Providers in DSH Part C/Part A Appeal... Or Does it?

This post was written by Salvatore G. Rotella, Jr. and Zachary A. Portin

In a much-anticipated decision, the U.S. Court of Appeals for the District of Columbia Circuit last month affirmed the lower court’s ruling in favor of the hospital plaintiffs in Allina Health Services, et al. v. Sebelius (D.C. Cir., No. 13-5011, Apr. 1, 2014). The otherwise good news for providers, however, was called into question by the appellate court’s instructions as to the proper remedy in the case.

Allina involved a Part C/Part A issue challenge to the method that the Department of Health and Human Services (HHS) used to calculate the plaintiffs’ DSH payments for the 2007 cost year. Specifically, in undertaking the DSH calculation, HHS treated inpatient days of Part C beneficiaries (Part C Benefit Days) as days for which those patients were “entitled to benefits under Part A” of Medicare. HHS did so pursuant to a final rule it issued in 2004 (the 2004 Final Rule) and codified in a 2007 regulation.

Previously, the D.C. District Court had held in its Allina decision that the 2004 Final Rule was procedurally defective, and HHS was therefore required to treat Part C Benefit Days as days for which those patients were not entitled to benefits under Part A. That approach would generally have led to additional DSH reimbursement for hospitals. On appeal, the D.C. Circuit affirmed the lower court’s finding that the 2004 Final Rule was improper, but remanded the case for the Secretary to decide again, this time without relying on the 2004 Final Rule.

While the D.C. Circuit’s ruling nominally favored the hospital plaintiffs, it also effectively invited HHS to reach the same policy announced in the 2004 Final Rule, but this time through an administrative adjudication rather than a rulemaking. This is a troubling possibility for providers because adjudicatory findings, unlike most rulemakings, can be retroactively applied to previous cost years. In short, the D.C. Circuit’s Allina opinion is unlikely to be the last word on the Part C/Part A issue in particular, or on the fate of the many other pending DSH issue appeals in general.

County Governments Not Immune From HIPAA Enforcement: OCR Announces $215,000 Settlement with Skagit County, Washington

This post was written by Brad Rostolsky, Nan Bonifant, and Jen Pike

On March 7, 2014, the HHS Office for Civil Rights (“OCR”) announced its first settlement and corrective action plan with a county government. Skagit County in northwest Washington State has agreed to pay $215,000 to settle potential violations of the HIPAA Privacy, Security and Breach Notification Rules.

According to Susan McAndrew, deputy director of health information privacy at OCR, “this case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size.” Generally, local and county governments are subject to HIPAA because certain departments within the government are involved in the provision of or payment for health care services. The Skagit County Public Health Department provides essential services to many individuals who would otherwise not be able to afford health care. Importantly, a single legal entity whose business activities include both HIPAA covered and non-covered services (like a county government) may designate itself as a “hybrid entity” by identifying its “health care components.” This designation, however, must be formally documented in the entity’s policies and procedures. Most of the requirements of the Privacy, Security and Breach Notification Rules apply only to the hybrid entity’s health care components.

OCR began investigating Skagit County following a breach self-report notifying OCR that the electronic protected health information (“ePHI”) of seven individuals receiving services from the Skagit County Public Health Department was posted on a publicly available server maintained by the county and accessed by unknown parties. The investigation revealed that the ePHI of not just seven – but 1,581 – individuals, was made available on the public server. The ePHI, which could be accessed through a simple Google search, included highly sensitive information, such as the testing and treatment of infectious diseases. OCR’s investigation further revealed Skagit County’s general and widespread non-compliance with the HIPAA Privacy, Security and Breach Notification Rules, including the implementation of sufficient policies and procedures.

In addition to the $215,000 settlement, the Resolution Agreement between Skagit County and OCR included a corrective action plan (“CAP”) that requires Skagit County to, among other things, (1) provide substitute breach notification to affected individuals not previously notified; (2) create and revise written policies and procedures to comply with HIPAA; and (3) submit for OCR’s review and approval hybrid entity documents designating the county’s covered health care components. The CAP also requires Skagit County to provide regular status updates to OCR, which will work closely with the county to correct deficiencies.

While OCR marks this settlement as the first with a county government, it is not the first for a public entity. In June 2012, the Alaska Department of Health and Social Services agreed to pay $1.7 million to settle possible violations of the Security Rule. Notably, both of these enforcement actions, and most actions since 2012, have resulted from a breach self-report used by OCR as an opportunity to conduct a de-facto audit of the entity’s general HIPAA compliance. Whether this enforcement trend will continue will likely depend upon the scope (and perhaps more importantly, the funding), of OCR’s second round of statutorily required audits of covered entities and business associates. Regardless, given the environment of increased OCR enforcement, regulated entities should ensure, at a minimum, that they have implemented the basic elements of HIPAA compliance—performance of a Security Rule risk analysis, implementation of sufficient policies and procedures (including documentation of any hybrid entity designation), and adequate training of workforce members.

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

Manufacturer, Group Payment Organization, and Physician Financial Information Slated For Disclosure, May Spur False Claims Act Activity

As mentioned on our Health Industry Washington Watch blog, pharmaceutical and medical device manufacturers and group purchasing organizations (GPO) are currently in the process of submitting detailed 2013 payment and investment interest data to the Centers for Medicare & Medicaid Services. The submission of this data, as dictated by the Physician Payment Sunshine Act, is intended to highlight certain financial relationships between the manufacturers and GPOs and physicians. With some exceptions, this data will become public by September 1, 2014, at which time the Department of Health and Human Services’ Office of the Inspector General, Department of Justice, and relators’ attorneys will likely analyze the data to initiate investigations and support complaints under the federal False Claims Act. To read the entire post, click here.

Final Rule Gives Patients a New Right under HIPAA to Access Completed Test Reports Directly from Labs

This post was written by Nan Bonifant, Brad Rostolsky, and John Wyand

On February 6, 2014, the U.S. Department of Health & Human Services’ (HHS) Centers for Medicare & Medicaid Services (CMS), Centers for Disease Control and Prevention (CDC), and Office for Civil Rights jointly published a final rule amending the HIPAA Privacy Rule and the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations to provide patients with direct access to laboratory test reports. HHS believes that a right to access these test reports under HIPAA is crucial to provide patients with vital information to empower them to better manage their health and take action to prevent and control disease. The amendments to both regulations become effective April 7, 2014, and HIPAA-covered laboratories must comply with the new right by October 6, 2014.

Under the currently enforced Privacy Rule, a patient’s right to access his or her protected health information (PHI) is limited with respect to PHI maintained by a CLIA laboratory or a CLIA-exempt laboratory. This limitation was included in the Privacy Rule because the existing CLIA regulations may prohibit such laboratories from disclosing this information. Currently, a CLIA laboratory may only disclose laboratory test results to three categories of individuals or entities: (1) the “authorized person,” (2) the health care provider who will use the test results for treatment purposes, and (3) the laboratory that initially requested the test. An “authorized person” is the individual authorized under state law to order or receive test results. If a state does not authorize patients to receive their test results, the patients must receive this information from their health care providers.

The final rule modifies the CLIA regulations to allow laboratories subject to CLIA, upon the request of a patient (or the patient’s personal representative), to provide access to completed test reports that – using the laboratory’s authentication process – can be identified as belonging to that patient. With respect to the Privacy Rule, the final rule removes the exceptions to a patient’s right of access related to CLIA and CLIA-exempt laboratories. Therefore, as of October 6, 2014, HIPAA-covered laboratories will be required to provide a patient or his or her personal representative with access, upon request, to the patient’s completed test reports, as well as to other PHI maintained in a designated record set. For purposes of the final rule, test reports are not part of a designated record set until they are “complete.” A test report is considered complete when all results associated with an ordered test are finalized and ready for release. These changes to the Privacy Rule preempt any contrary state laws that prohibit a HIPAA-covered laboratory from providing patients direct access to their completed test results.

In order to comply with the amended Privacy Rule, HIPAA-covered laboratories should develop and implement a policy and procedure to receive and respond to patient requests. Processing a request for a test report, either manually or electronically, will require completion of the following steps: (1) receipt of the request from the individual; (2) authentication of the identification of the individual; (3) retrieval of test reports; (4) verification of how and where the individual wants the test report to be delivered and provision of the report by mail, fax, email or other electronic means; and (5) documentation of test report issuance. Additionally, HIPAA-covered laboratories must revise their notice of privacy practices to inform patients of their right to access completed test reports, including a brief description of how to exercise the right, and removing any statements to the contrary.

This amendment to the regulations is consistent with OCR’s focus on improving patients’ rights under the Privacy Rule, and represents another important aspect of policy change and documentation efforts for HIPAA-covered entity providers.

Physician-Owned Distributor (POD) Update: Device Manufacturer's Challenge to OIG Fraud Alert Fails; OIG Finds PODs Increase Medicare Costs; and Hospitals Continue to Adopt Anti-POD Policies

This post was written by Elizabeth Carder-Thompson.

We have been reporting for some time on issues involving the Office of the Inspector General (OIG) scrutiny of physician-owned distributors (PODs).  In March 2013, we analyzed an OIG Special Fraud Alert on PODs and in October we reported on an interesting challenge to the Fraud Alert filed by a medical device manufacturer in the U.S. District Court for the Central District of California.  That suit argued that the Fraud Alert unfairly and unconstitutionally burdened the plaintiff’s First Amendment rights of free speech and due process. Below, we report on the disposition of that case, and several other related POD developments.

Reliance Medical Systems had described itself in its complaint as “a design company that collaborates with spine surgeons to design highly customized spinal implant devices and surgical tools.”  It stated that it had physician owners from its beginning in 2006, characterizing this as a business model that “maximizes and optimizes physician design input,” but it subsequently moved away from that model.  Among other things, the complaint argued that “Big Corporations” that had been forced to compete with small physician-owned entities undertook a multi-year lobbying crusade, resulting in the OIG’s issuance of Fraud Alert.  In a separate part of the complaint, Reliance allowed that “the OIG is currently investigating Reliance, and its physicians with whom Reliance previously communicated.”  It went on to explain that it now wished to return to a physician-owned business model, but that the Fraud Alert’s characterization of PODs as “inherently suspect” under the federal anti-kickback statute was chilling its ability to speak with prospective physician owners.  It also expressed concern about future OIG investigations, and about reluctance by hospitals and ambulatory surgical centers to enter contracts with it, for fear that they themselves may be “at risk” under the Fraud Alert for doing business with physician-owned entities.

While Reliance claimed it suffered both present and prospective injuries, the court found that it failed to demonstrate an actual or imminent injury to any legally protected interest, stating:

What has “chilled” Reliance’s speech about forming a physician-owned entity, the Court surmises, is its fear that forming such an entity will be viewed as illegal. Reliance’s argument is, at base, that the [Fraud Alert] has created uncertainty regarding whether such conduct is legal, thereby inhibiting it from discussing it. This is not a First Amendment injury that would confer standing.

The court further found that any injury to Reliance was “purely speculative,” and therefore that Reliance lacked standing to raise a due process claim.

The court went on to assert that, even if it had subject matter jurisdiction, it would decline to exercise it.  In short, the court found that there had been no “concrete action” in applying the Fraud Alert, and therefore that the action was not ripe.  Thus, it granted the motion to dismiss filed by the government.

Meanwhile, and not surprisingly, the tide definitely seems to have turned against the POD business model.  Beyond the Fraud Alert, the OIG in October 2013 issued a report on the prevalence and use of PODs by hospitals, finding that, “in FY 2011, PODs supplied devices used in nearly one in five spinal fusion surgeries billed to Medicare.”  Hospitals using physician-owned companies averaged 28 percent more spine surgeries, and their rate of spinal fusions jumped 21 percent after they began purchasing from PODs (compared to a 9 percent increase for hospitals overall, during the same period).   The OIG’s overall findings in the report are – as alluded to in the underlying Fraud Alert – that PODs likely increase Medicare costs and raise anti-kickback and conflict of interest concerns:

Our findings raise questions about PODs' claim that their devices cost less than those of other suppliers. Surgeons performed more spinal surgeries at hospitals that purchased from PODs, and those hospitals experienced increased rates of growth in the number of spinal surgeries performed in comparison to the rate for hospitals that did not purchase from PODs. Taken together, these factors may increase the cost of spinal surgery to Medicare over time. Finally, hospitals' policies varied in whether they required physicians to disclose ownership interests in PODs to either the hospitals or their patients. Thus the ability of hospitals and patients to identify potential conflicts of interest among these providers is reduced.

A July 25, 2013 article in the Wall Street Journal, “Surgeons Eyed Over Deals with Medical-Device Makers,” listed many large hospital and health systems across the country choosing not to do business with PODs.  Our own recent experience is that some hospitals even are requiring signed certifications from all vendors – including non-spine entities — that they have no physician ownership.  The new “Sunshine” regulations which now are effective require increased reporting of physician ownership by drug and device entities as well as group purchasing organization, and the published results will likely cause this scrutiny of PODs to continue unabated.

Device Manufacturer Files Federal Challenge to OIG Special Fraud Alert on Physician-Owned Distributors

Suit argues Fraud Alert violates its First Amendment rights; alleges Alert stemmed from multi-year lobbying crusade by “Big Corporations” forced to compete with small physician-owned entities.

This post was written by Elizabeth Carder-Thompson.

On October 8, 2013, Reliance Medical Systems, LLC, filed a complaint in the U.S. District Court for the Central District of California, seeking a declaration that an Office of Inspector General (OIG) Special Fraud Alert on physician-owned distributors (PODs) unfairly and unconstitutionally burdens First Amendment rights of free speech and due process.  (See our March 2013 analysis of the Fraud Alert.)

Reliance describes itself as “a design company that collaborates with spine surgeons to design highly customized spinal implant devices and surgical tools.”  It states it had physician owners from its beginning in 2006, characterizing this as a business model that “maximizes and optimizes physician design input.”  However, in 2012, before issuance of the Fraud Alert, it “moved away from the physician-owned entity business model, after careful consideration and out of an abundance of caution.”  Interestingly, in a separate part of the complaint, Reliance allows that “the OIG is currently investigating Reliance, and its physicians with whom Reliance previously communicated.”  The Complaint goes on to explain that it now wishes to return to a physician-owned business model, but that the Fraud Alert’s characterization of PODs as “inherently suspect” under the federal anti-kickback statute is chilling its ability to speak with prospective physician owners.  It also expresses concern about future OIG investigations, and about reluctance by hospitals and ambulatory surgical centers to enter contracts with it, for fear that they themselves may be “at risk” under the Fraud Alert for doing business with physician-owned entities.

The complaint provides a colorful chronology of events leading up to the OIG’s issuance of the POD Fraud Alert.  First, it cites to the Ninth Circuit’s 1995 decision in Hanlester1 as the “leading case considering the limitations that the anti-kickback statute imposes on physician-owned entities,” concluding based on that decision that many physician-owned models are lawful.  It further cites to a 2006 California Attorney General Opinion2 finding it appropriate under certain enumerated circumstances for a physician to prescribe medical devices distributed by a company in which the physician has an ownership interest.  At that point, the account turns to describing a veritable crusade undertaken by “Big Corporations” – large entities also in the business of manufacturing medical devices – that the complaint alleges found their market share diminishing in the face of competition from the smaller physician-owned entities permitted by Hanlester and the California opinion.  These Big Corporations are alleged to have mounted a campaign to influence the OIG to issue the POD Fraud Alert.

Among the actions said to have been undertaken by the Big Corporations during the ensuing years were:

  • Forming lobbying entities
  • Making major campaign contributions
  • Hiring a major law firm to advocate for legislative and regulatory action before OIG, the Centers for Medicare & Medicaid Services, Congress, and states
  • Causing the publication of papers and articles finding PODs to be abusive
  • Lobbying successfully for Congressional hearings in 2011 (in turn causing the issuance of a Senate report on PODs questioning their legality)
  • Successfully lobbying the OIG to issue the 2013 Fraud Alert finding PODs “inherently suspect” under the federal anti-kickback statute, even in the absence of “suspect characteristics,” and warning hospitals and other entities that they may be “at risk” if they choose to do business with PODs

Reliance argues that the Fraud Alert is, simply, “wrong and inconsistent with the law.”  Further, it alleges “inappropriate leaks” to The Wall Street Journal and other publications of HHS-OIG efforts to enforce the Fraud Alert, including against Reliance itself, and it asserts the OIG has infringed its constitutional rights.

Nowhere in its complaint does Reliance address what the OIG characterizes in the Fraud Alert – and has long reiterated in multiple publications over the years – as “major concerns” that can arise from physician kickback activity and self-dealing:  (1) corruption of medical judgment; (2) overutilization; (3) increased costs to federal health care programs and beneficiaries; and (4) unfair competition.  Further, it fails to note that the OIG specifically acknowledges that the lawfulness of a particular POD under the anti-kickback statute is a fact-specific analysis that depends on the parties’ intent; that certain safeguards and characteristics might support the defensibility of a POD; and that the “anti-kickback statute is not a prohibition on the generation of profits.”  All of these factors doubtless will be raised by the OIG in defense of the lawsuit.  

In the meantime, while the Reliance complaint promises to reignite academic discussion of the POD issue among health care lawyers, it is unlikely to impact the willingness of physicians, hospitals, and other entities to re-enter the POD market.

__________________________________________

1  Hanlester Network v. Shalala, 51 F.3d 1390 (9th Cir. 1995)
2  Opinion of Bill Lockyer, 89 Ops. Cal. Atty. Gen. 25 (2006)

CMS Releases List of Teaching Hospitals; Educational Efforts and Requests for Additional Clarification Regarding the Physician Payment Sunshine Final Rule Continue

This post was written by Elizabeth Carder-Thompson, Katie C. Pawlitz and Nancy E. Bonifant.

In preparation for data collection to begin under the Physician Payment Sunshine Act Final Rule on August 1, 2013, the Centers for Medicare & Medicaid Services (CMS) released yesterday the list of teaching hospital covered recipients to which payments and other transfers of value must be reported by applicable drug and device manufacturers.  The list, which will be updated annually by CMS at least 90-days before the beginning of a reporting year, can be found on CMS’ National Physician Payment Transparency Program: OPEN PAYMENTS website and includes approximately 1,100 legal business names that are organized by state and tax identification number.

CMS also announced this week that it will be holding a National Provider Call on Wednesday, May 22, 2013 at 2:30 PM EST, directed at physicians and teaching hospitals.  The agenda for the call includes an overview of the Final Rule, key dates, the role of covered recipients and resources available to covered recipients.

Meanwhile, stakeholders and their representatives, including the American Medical Association (AMA) and the Advanced Medical Technology Association (AdvaMed), have continued to seek additional clarification from CMS on a variety of outstanding questions.  These questions include whether journal reprints provided by a manufacturer to a physician or teaching hospital have a discernible economic value that triggers reporting requirements, what constitutes a payment or transfer of value to a teaching hospital as opposed to payments or transfers of value to an employee of the teaching hospital, and more.  Ideally, CMS will issue further guidance on these issues in sufficient time for applicable manufacturers to prepare for the data collection deadline this summer.

CMS and OIG Propose Extension of Electronic Health Record Donation Protections

This post was written by Jennifer Pike and Brad Rostolsky.

The Centers for Medicare & Medicaid Services (CMS) and the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) have each proposed new rules to extend existing protections that allow hospitals to donate electronic health record (EHR) technology to physicians who refer patients to their facilities. By way of background, in 2006, CMS established an exception to the Stark self-referral law to allow hospitals to donate EHR technology to physicians under certain circumstances. Likewise, in 2006, the OIG established a safe-harbor to protect such EHR donations from enforcement under the federal anti-kickback statute. While both protections are set to expire on December 31, 2013, the proposed rules would extend the provisions until the end of 2016 as a means to facilitate the adoption of EHR technology.

In addition to extending the EHR donation protections, the proposed rules would (1) remove the requirement from the original rule that donated EHR technology contain electronic prescribing capability, and (2) update the provision under which EHR technology is deemed interoperable, which would expand the types of EHR systems that qualify for the protections.

CMS’s proposed rule is available here. The OIG’s proposed rule is available here. Comments regarding both proposed rules should be submitted in writing, or electronically at www.regulations.gov, by June 10, 2013.

OIG Views PODs As "Inherently Suspect" Under the Anti-Kickback Statute

This post was written by Elizabeth B. Carder-Thompson, Catherine A. Hurley, Joseph W. Metro and Elizabeth Doyle O'Brien.

Referencing what it deems a “proliferation” of physician-owned distributors (PODs), on March 26, 2013, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) released a Special Fraud Alert identifying significant concerns with such entities under federal anti-kickback principles.1 For purposes of the Alert, the OIG defines a POD as “any physician-owned entity that derives revenue from selling, or arranging for the sale of, implantable medical devices,” including “physician-owned entities that purport to design or manufacture, typically under contractual arrangements, their own medical devices or instrumentation.” Specifically, the OIG describes in somewhat unusual detail the multiple “attributes and practices” of PODs that the OIG believes “produce substantial fraud and abuse risk and pose dangers to patient safety.”

Notably, the Alert is focused on PODs that derive revenue from selling, or arranging for the sale of, implantable medical devices that are ordered by physician-owners for use in procedures that physician-owners “perform on their own patients at hospitals or ambulatory surgical centers (ASCs).” However, the OIG states that “the same principles would apply when evaluating arrangements involving other types of physician-owned entities.”

Brief Background

The legitimacy of PODs has been subject to question for a number of years by both Congress and the OIG. In June of 2011, a Finance Committee Minority analysis released by Sen. Orrin Hatch examined the growth of PODs, primarily in the orthopedic implant (spine and total joint) sector of the device industry. The Finance report concluded that "[t]he very nature of PODs seem to create financial incentives for physician investors to use those devices that give them the greatest financial return and that, in the process, patient treatment decisions may be based on personal financial gain. This is especially troubling given numerous concerned allegations provided to the Committee that, due to their financial interest, physician investors in PODs may perform more procedures than are medically necessary or may use implants of inferior quality or that are not best suited for the procedure." For background on the Congressional activity, see our earlier update.

The OIG’s Work Plan for 2012 included an entry on PODs, as follows:

We will determine the extent to which physician-owned distributors (POD) provide spinal implants purchased by hospitals. We will also analyze Medicare claims data to determine whether PODs we identify in our review are associated with high use of spinal implants. PODs are business arrangements involving physician ownership of medical device companies and distributorships. PODs are focused primarily in the surgical arena and are currently primarily involve orthopedic implants such as spine and total joints. However, PODs appear to be quickly growing into other areas such as cardiac implants. Congress has expressed concern that PODs could create conflicts of interest and safety concerns for patients. (OEI; 01-11-00660)

Although the OIG report was expected in FY 2012, it has not yet been issued. Evidently, the OIG’s ongoing analysis has been such that it concluded a Fraud Alert was the most advisable next step.

Terms of POD Fraud Alert

The OIG summarizes the attributes and practices of PODs about which it has significant concerns as follows:

  • Selecting investors because they are in a position to generate substantial business for the entity;
  • Requiring investors who cease practicing in the service area to divest their ownership interest; and
  • Distributing extraordinary returns on investment compared to the level of financial risk involved.

The OIG states that such “questionable features” present four “major concerns” that are typical of kickbacks: (1) corruption of medical judgment; (2) overutilization; (3) increased costs to federal health care programs and beneficiaries; and (4) unfair competition. The OIG goes on to provide a more detailed series of POD characteristics that elevate the level of fraud and abuse risk in the OIG’s view (reprinted at end). The OIG adds that a POD “exclusively” serving its physician-owners’ patient base poses a higher risk of fraud and abuse than “a POD that sells to hospitals and ASCs on the basis of referrals from nonowner physicians.”

The OIG dismisses the notion that “disclosure to a patient of the physician’s financial interest in a POD is sufficient” to address its concerns, maintaining that “PODs are inherently suspect under the anti-kickback statute,” and cautions that the Alert should not be viewed as a road map for structuring acceptable POD entities. That said, the OIG acknowledges that the lawfulness of a particular POD under the anti-kickback statute is a fact-specific analysis and depends on the parties’ intent, and that certain safeguards and characteristics might support the defensibility of a POD. The OIG also concedes that the “anti-kickback statute is not a prohibition on the generation of profits.”2

The OIG specifically discusses in the Alert how PODs generating “disproportionately high rates of return for physician-owners may trigger heightened scrutiny.” Moreover, if “physician-owners are few in number” or “alter their medical practice after or shortly before investing in the POD,” in terms of the number of surgeries performed or the type of device the physician uses (for example, sudden exclusive use of the POD device), the OIG is particularly likely to view the POD as problematic under the anti-kickback statute. It believes such facts tend to show that referral volume bears directly on financial returns to the physician-owners.

Regarding PODs that “purport to design or manufacture their own devices,” the OIG states that the “risk of fraud and abuse is particularly high” where the physician-owners of the POD “are the sole (or nearly the sole) users of the devices” and that “claims—particularly unsubstantiated claims—by physician-owners regarding the superiority of [their] devices . . . do not disprove unlawful intent.”

Significantly, the Alert emphasizes that potential liability under the anti-kickback statute can extend to any ASC or hospital that purchases devices from a POD in order to “maintain or secure referrals from the POD’s physician-owners.” Thus, the third POD risk characteristic cited by the OIG in this regard looks at whether the physician owners (i) have stated or implied they will perform surgeries or refer patients elsewhere if the hospital or ASC does not purchase devices from the POD, (ii) have promised or implied they will move surgeries to the hospital or ASC if it does purchase devices from the POD, or (iii) have required the hospital or ASC to enter into an exclusive purchase arrangement with the POD.

Based on past experience, publication by the OIG of a Special Fraud Alert signals that increased investigative and enforcement activity is likely to follow. Given this, parties to existing POD arrangements—PODs themselves, device manufacturers, as well as hospitals and ASCs with POD purchasing arrangements—should work with their health care regulatory counsel to assess or reassess risk under the anti-kickback statute in light of the OIG’s detailed commentary.

 

POD Characteristics That Elevate Risk Per The OIG Fraud Alert:

  • The size of the investment offered to each physician varies with the expected or actual volume or value of devices used by the physician.
  • Distributions are not made in proportion to ownership interest, or physician-owners pay different prices for their ownership interests, because of the expected or actual volume or value of devices used by the physicians.
  • Physician-owners condition their referrals to hospitals or ASCs on their purchase of the POD’s devices through coercion or promises, for example, by stating or implying they will perform surgeries or refer patients elsewhere if a hospital or an ASC does not purchase devices from the POD, by promising or implying they will move surgeries to the hospital or ASC if it purchases devices from the POD, or by requiring a hospital or an ASC to enter into an exclusive purchase arrangement with the POD.
  • Physician-owners are required, pressured, or actively encouraged to refer, recommend, or arrange for the purchase of the devices sold by the POD or, conversely, are threatened with, or experience, negative repercussions (e.g., decreased distributions, required divestiture) for failing to use the POD’s devices for their patients.
  • The POD retains the right to repurchase a physician-owner’s interest for the physician’s failure or inability (through relocation, retirement, or otherwise) to refer, recommend, or arrange for the purchase of the POD’s devices.
  • The POD is a shell entity that does not conduct appropriate product evaluations, maintain or manage sufficient inventory in its own facility, or employ or otherwise contract with personnel necessary for operations.
  • The POD does not maintain continuous oversight of all distribution functions.
  • When a hospital or an ASC requires physicians to disclose conflicts of interest, the POD’s physician-owners either fail to inform the hospital or ASC.

 

__________________________________________

1  See OIG, “Special Fraud Alert: Physician-Owned Entities” (Mar. 26, 2013).

2  The OIG perhaps is referencing a notable statement in a recent fraud and abuse opinion by the Sixth Circuit Court of Appeals, finding in favor of an entity under investigation, to the effect that: “Why a business ought to be punished solely for seeking to maximize profits escapes us.” U.S. ex rel. Williams v. Renal Care Group Inc., 2012 WL 4748104 (6th Cir. 10/5/12).

Sunshine Physician Payment Final Rule Overview and Analysis

This post was written by Elizabeth B. Carder-Thompson, Katie C. Pawlitz and Nancy E. Bonifant.

On February 1, 2013, the Centers for Medicare & Medicaid Services (CMS) of the Department of Health and Human Services (HHS) released the long-awaited Final Rule to implement the “Sunshine” provisions of the Affordable Care Act of 2010 (ACA). The Sunshine provisions - intended to provide increased transparency on the scope and nature of financial and other relationships among manufacturers, physicians, and teaching hospitals - require that certain manufacturers of drugs, devices, biologicals, and medical supplies covered by Medicare, Medicaid and CHIP report annually to HHS identified payments or transfers of value they have made to physicians and teaching hospitals. In addition, they require manufacturers and certain group purchasing organizations (GPOs) to report to HHS information on physician ownership and investment interests.

The Final Rule provides needed clarity on some troubling aspects of the proposal, however, it leaves a number of questions unanswered. Please click here to read our detailed analysis of the Sunshine provisions, including an overview and summary of the Rule as well as discussion of the important issues that stakeholders should be considering as they prepare for Sunshine implementation.

OCR Continues to Use Breach Self-Reports as an Invitation to Audit General HIPAA Compliance

Massachusetts Provider Becomes Third Seven-Figure Settlement Since March

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On September 17, 2012, the HHS Office of Civil Rights ("OCR") announced another settlement and corrective action plan following an entity’s breach self-report required by HITECH’s Breach Notification Rule. Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively "MEEI") have agreed to pay $1.5 million to settle potential violations of the HIPAA Security Rule following the theft of a physician’s unencrypted, but protected, laptop, providing additional evidence that: (1) OCR will likely view any breach notification as an opportunity to conduct a de facto audit of an entity’s general HIPAA compliance; and (2) encryption of all portable devices containing electronic protected health information ("ePHI"), though not technically "required," is a critical compliance consideration.

The information contained on the laptop, which was stolen while the physician was lecturing in South Korea in 2010, included prescriptions and clinical information for approximately 3,600 patients and research subjects. According to MEEI, although unencrypted, the laptop was password protected and contained a tracking device commonly referred to as "LoJack." Using LoJack, MEEI determined that a new operating system was installed on the computer and that the software needed to access the ePHI was not reinstalled. After concluding that retrieval of the laptop was unlikely, MEEI remotely permanently disabled the hard drive and rendered any ePHI unreadable.

Although OCR’s subsequent investigation revealed no patient harm as a result of the breach, the agency did find that the breach indicated a long-term, organizational disregard for the requirements of the Security Rule. More specifically, over an extended period of time, MEEI failed to:

  • Conduct a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices;
  • Implement security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices;
  • Adopt and implement policies, and procedures to restrict access to ePHI to authorized users of portable devices; and
  • Adopt and implement policies and procedures to address security incident identification, reporting, and response.

Following on the heels of the Alaska Department of Health and Social Services’ $1.7 million settlement in June, which also followed a breach that affected a relatively small number of individuals, OCR’s recent enforcement actions suggest that its focus is on the lack of overall HIPAA compliance that may lead to a breach and not the breach itself. This settlement also reaffirms the practical necessity of encrypting all ePHI on portable devices. According to Leon Rodriguez, Director of OCR,  "[i]n an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices."

In addition to the $1.5 million settlement, the Resolution Agreement between MEEI and OCR included a corrective action plan, which requires MEEI to review, revise, and maintain policies and procedures to ensure compliance with the Security Rule, and retain an independent monitor who will conduct assessments of MEEI’s compliance with the corrective action plan and render semi-annual reports to HHS for a 3-year period. MEEI did not admit any liability in the agreement and OCR did not concede that MEEI was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found at hhs.gov.

Massachusetts Attorney General Strikes: South Shore Hospital Settles Data Breach Allegations for $750,000

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

On May 24, 2012, the Attorney General of Massachusetts announced that South Shore Hospital of South Weymouth, Massachusetts (South Shore) agreed to settle allegations that it failed to protect the personal and protected health information of more than 800,000 individuals.  The settlement resulted from the hospital’s data breach report to the Attorney General in July 2010, which was also reported to the HHS Office of Civil Rights in accordance with the HIPAA Breach Notification Rule.  Although the Attorney General reported a $750,000 settlement, South Shore was credited $275,000 for new security measures taken after the breach, bringing the actual amount to $475,000, of which $250,000 is a civil penalty and $225,000 shall be paid to an education fund to be used by the Attorney General’s Office to promote education concerning the protection of personal and protected health information.  South Shore also agreed to undergo a review and audit of its security measures and report the results to the Attorney General.

In February 2010, South Shore contracted with Archive Data Solutions (Archive Data) to erase and re-sell 473 data tapes.  According to the Attorney General, South Shore did not inform Archive Data that the tapes contained personal and protected health information, including individuals’ names, Social Security numbers, financial account numbers, and medical diagnoses.  The tapes were then shipped to a Texas subcontractor, but in June 2010, South Shore learned that only one of the three boxes of tapes arrived.  The two missing boxes were never recovered and there have been no reports of unauthorized use of the information.

Following its investigation of South Shore’s breach report, the Attorney General filed a lawsuit under the Massachusetts Consumer Protection Act and HIPAA.  State Attorney Generals have the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules, which includes obtaining damages and enjoining further violations, pursuant to HITECH, enacted as part of the American Recovery and Reinvestment Act of 2009.  In the lawsuit, the Attorney General alleged that South Shore failed to implement appropriate safeguards, policies, and procedures to protect the information, failed to have a Business Associate Agreement in place with Archive Data, and failed to properly train its workforce.

CMS Announces Data Collection for the Physician Payments Sunshine Act Will Not Be Required Before 2013

The Centers for Medicare & Medicaid Services (CMS), tasked with implementing the Physician Payments Sunshine Act, announced yesterday that it will not require pharmaceutical, device, and other applicable manufacturers and group purchasing organizations (GPOs) to begin collecting reportable data before 2013.  Once implemented, the Physician Payments Sunshine Act (Section 6002 of the Affordable Care Act) will require manufacturers and GPOs to report information regarding payments to physicians and physician ownership and investment interests.

To learn more about this development regarding the Physician Payments Sunshine Act, please see the full post written by Elizabeth B. Carder-Thompson, Katie C. Pawlitz, Nancy E. Bonifant and Debra A. McCurdy on Reed Smith’s Health Industry Washington Watch blog.


 

Small Cardiology Practice to Pay $100,000 to Settle Allegations of HIPAA Violations

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On April 17, 2012, the HHS Office of Civil Rights (OCR) announced a settlement and corrective action plan with Phoenix Cardiac Surgery, P.C. (Phoenix), a small cardiology practice based in Phoenix and Prescott, Arizona. More specifically, Phoenix has agreed to pay $100,000 to settle allegations of HIPAA violations arising out of an investigation conducted by OCR.

OCR’s investigation of Phoenix followed a report that Phoenix was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR discovered the following issues:

  • Phoenix failed to implement adequate policies and procedures to appropriately safeguard patient information;
  • Phoenix failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
  • Phoenix failed to identify a security official and conduct a risk analysis; and
  • Phoenix failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its electronic protected health information.

This settlement serves as additional evidence of OCR’s increased focus on enforcement actions for alleged HIPAA violations, following just one month after the first enforcement action resulting from a breach self-report under the Breach Notification Rule. According to Leon Rodriguez, Director of OCR, he “hope[s] that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.” Additionally, the settlement provides further evidence that OCR will likely view any investigation of an alleged Privacy or Security Rule infraction as an opportunity to conduct a de facto audit of the entity’s general compliance with HIPAA.

In addition to the $100,000 settlement, the Resolution Agreement between Phoenix and OCR requires Phoenix to develop and maintain written Privacy and Security policies, which will set forth, at a minimum, administrative safeguards, technical safeguards, and training of all Phoenix’s workforce members. In addition, Phoenix will provide specific training on the Privacy and Security policies within 60 days of OCR’s approval to all workforce members who use or disclose protected health information and will report any violations of those policies and procedures by a workforce member to OCR within 30 days. Phoenix did not admit any liability in the agreement and OCR did not concede that Phoenix was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

 

OCR Announces First Enforcement Action Resulting From a Breach Self-Report

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On March 13, 2012, the HHS Office of Civil Rights (OCR) announced the first enforcement action resulting from a breach self-report required by HITECH’s Breach Notification Rule. Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay HHS $1,500,000 to settle potential violations of the HIPAA Privacy and Security Rules and has entered into a corrective action plan to address gaps in its HIPAA compliance program.


The HIPAA/HITECH Breach Notification Rule requires covered entities to report a breach (e.g., an impermissible use or disclosure of protected health information that compromises the security or privacy of the protected health information) to the affected individual(s), HHS and, at times, the media. OCR’s investigation of BCBST followed a breach report submitted by BCBST informing HHS that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The hard drives contained the protected health information of more than 1 million individuals, including member names, social security numbers, diagnosis code, dates of birth, and health plan identification numbers.


According to OCR’s investigation, BCBST failed to implement appropriate administrative and physical safeguards as required by the HIPAA Security Rule. More specifically, BCBST failed to perform the required security evaluation in response to operational changes and did not have adequate facility access controls.


In addition to the $1,500,000 settlement, the Resolution Agreement between BCBST and OCR requires BCBST to revise its Privacy and Security policies, conduct robust trainings for all employees, and perform monitor reviews to ensure compliance with the corrective action plan. BCBST did not admit any liability in the agreement and OCR did not concede that BCBST was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

Overview and Analysis of the Proposed Federal Sunshine Regulations

On December 19, 2011, the Centers for Medicare & Medicaid Services (“CMS”) published a proposed rule (the “Proposed Rule”) related to section 6002 of the Affordable Care Act, commonly referred to as the “Physician Payment Sunshine Act.” The Physician Payment Sunshine Act requires applicable manufacturers of drugs, devices, biologicals, or medical supplies covered under Medicare, Medicaid, or CHIP to report annually to the Secretary of the Department of Health and Human Services (“Secretary”) certain payments or other transfers of value to physicians and teaching hospitals. Additionally, applicable manufacturers and applicable group purchasing organizations (“GPOs”) must report certain information regarding the ownership or investment interests in them that are held by physicians or their immediate family members.

To learn more about this development regarding the Physician Payment Sunshine Act, please see the full post written by Elizabeth B. Carder-Thompson, Katie C. Pawlitz, Nancy E. Bonifant and Debra A. McCurdy on Reed Smith’s Health Industry Washington Watch blog.

OCR Launches Privacy and Security Audits

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

To implement the HITECH Act’s mandate for the Office for Civil Rights (OCR) to perform HIPAA audits, OCR has just announced that it is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance. Audits conducted during the pilot phase are planned to begin with an initial 20 audits between November 2011 and April 2012. The remaining audits are scheduled to conclude by December 2012. All covered entities and business associates are eligible for audits; however, OCR has indicated that it is focusing on covered entities (range in type and size) in the initial phase. Business associates will be included in future audits.

During the pilot, every audit will include a document production and onsite visit, and will result in an audit report. OCR will notify a selected covered entity in writing and request documentation of the covered entity’s privacy and security compliance efforts. The covered entity must comply within 10 business days. OCR expects to notify selected covered entities between 30 and 90 days prior to the anticipated onsite visit. Onsite visits may take between three and 10 business days, and after fieldwork is completed, the auditor will provide the covered entity with a draft final report. Selected covered entities will then have 10 business days to review and provide written comments back to the auditor. The auditor will complete a final audit report within 30 business days after the covered entity’s response and submit it to OCR.

Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem. Significantly, OCR will not post a listing of audited entities or the findings of an individual audit that clearly identifies the audited entity.

A description of the pilot program is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html

 

CMS and FDA Announce Parallel Review Pilot Program

This post was written by Susan Edwards, Elizabeth Carder-Thompson, Gail Daubert, Celeste Letourneau, and Debra McCurdy.

On Friday, October 7, 2011, the Centers for Medicare & Medicaid Services ("CMS") and the Food and Drug Administration ("FDA") (collectively, the "Agencies") announced they were soliciting nominations from sponsors of medical devices to participate in the Agencies’ parallel review pilot program. The Agencies officially published a Federal Register notice announcing the program October 11, 2011 (the "Notice"), with an effective date of November 10, 2011, although the Agencies began accepting nomination submissions October 7.

To read the full alert, which summarizes the Notice and discusses potential implications for manufacturers that may be considering participation in the pilot program, click here.

Prospects Unclear for CMS/FDA Proposed Parallel Review of Medical Products

This post was written by Susan A. Edwards, Elizabeth B. Carder-Thompson, Gail L. Daubert and Celeste A. Letourneau.

Notably absent from last month’s Department of Health and Human Services Semiannual Regulatory Agenda was any indication of where the Centers for Medicare and Medicaid Services ("CMS") and the Food and Drug Administration ("FDA") stand with respect to their notice with request for comments, issued last fall, on the proposed parallel review process for medical products. While CMS and FDA officials confirmed that they are currently reviewing comments submitted during the review period, they declined to speculate on when they intend to act. The comments submitted, however, provide insight into industry views on this important issue, including widespread discontent with the approval mechanisms currently available. We have undertaken a review of all of the comments submitted and extracted the eight main concerns cited in the following analysis.

Senate Finance Committee Report Inquires into Physician-Owned Distributors

This post was written by Joseph W. Metro, Gina M. Cavalier and Jouya Rastegar.

On June 9, 2011, Senator Orrin Hatch released a report by the Senate Finance Committee Minority Staff that outlines key concerns about Physician-Owned Distributors (“PODs”), specifically regarding the lack of regulatory oversight and clear guidance from the Department of Health and Human Services Office of Inspector General (“OIG”). The Committee Minority’s report, Physician Owned Distributors (PODs): An Overview of Key Issues and Potential Areas for Congressional Oversight, set forth findings of committee staff who spoke to over fifty people and reviewed thousands of pages of documents. In addition to the report, the Chairman and Ranking Members of the Senate Financial Committee, Special Committee on Aging, and Judiciary Committee sent letters on the same day to the Administrator for Centers for Medicare & Medicaid Services (“CMS”)and the Inspector General of Health and Human Services (“HHS”) requesting further inquiry into the concerns set out in the Senator Hatch’s report.

The crux of the Committee’s concern with PODs is the potential for fraud and abuse the Committee believes to be inherently found in PODs. Historically, implantable medical devices (these are what the report focuses on) have been sold to hospitals and surgery centers directly from the device manufacturers or through independent distributors. More recently, PODs have come into existence to buy the devices from manufacturers and sell them to hospitals or surgery centers. PODs are mostly comprised of small groups of physicians who create companies to distribute, and in some cases manufacture, medical devices for implantation in surgeries. The large majority of products sold by PODs are sold to hospitals where their own physician investors practice. This is where the concern stems from—physicians’ potential ability to profit through distribution markups on products they are selling through the PODs in which they are owners or investors, particularly where the PODs likewise solicit discounts from manufacturers based on preferred positioning or other “captive” volume.

The report: (1) explains the history of PODs and their business models; (2) describes the concerns for fraud and abuse; (3) highlights the regulatory environment in which they exist; and (4) concludes by outlining what the should happen to address concerns. The nature of PODs creates financial incentives for physician owners to use devices that yield personal financial return, which may implicate the federal anti-kickback statute’s prohibition on inducements to purchase or order items covered under federal health care programs. The report listed anecdotal and evidence-based reasons for concern, such as instances of surgeons performing eight to ten procedures on elderly patients despite the serious health risks, stories of surgeons redoing previous surgeries to use their own POD products, an analysis from the Quality Implant Coalition, a coalition of manufacturers of implantable medical devices, which showed claims data from one hospital indicating a 300 percent increase in spinal fusion surgery after a spinal product POD moved into the hospital’s area, and an April 2010 Journal of the American Medical Association study that found a fifteen-fold increase in the number of spinal fusion surgeries for Medicare patients from 2002-2007, the period during which PODs became a more prevalent business model. On the other hand, the report mentioned a paper written by a POD, which was presented at the American Association of Orthopedic Surgeons 2009 annual meeting, in which the POD asserted that its business model helped saved the hospital with which it was affiliated thirty-four percent over a two year-period—a total savings of over one million dollars.

The legal implications of the business of PODs have not been entirely clear because the regulatory environment in which they find themselves is murky. As highlighted in the Senate Finance Committee report, the OIG issued written guidance on the issue of PODs and expressed the need to carefully review and closely scrutinize these entities under fraud and abuse laws and its Special Fraud Alert relating to joint venture arrangements. Similarly, CMS has declined to regulate PODs under the Stark law. However, the Senate Finance Committee report indicated that there has been a lack of any recent or more specific guidance on this topic. Further the report noted that POD arrangements might implicate the Sunshine Act’s reporting requirements relating to manufacturer financial arrangements with physicians, for which HHS has not yet issued guidance.

The report, as well as the letters to the HHS Inspector General and CMS Administrator, call for several measures to address concerns: (1) further inquiring into and closely examining PODs and their current structures and activities; (2) providing additional regulatory guidance from OIG and/or Congress; (3) including the distribution model of PODs into CMS’ final definition of “applicable manufacturers,” in order to require PODs to fall under the Sunshine Act financial reporting requirements; (4) accounting for the POD business model when CMS promulgates the final Accountable Care Organization regulation to protect against abuses posed by PODs; and (5) developing recommendations for further actions.
 

HHS Issues Notice of Proposed Rulemaking Regarding the HIPAA Privacy Rules Standard for Accounting of Disclosures Requirements and Access Report

This post was written by Gina M. Cavalier and Brad M. Rostolsky.

Today the Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking implementing provisions of the HITECH Act related to accounting for disclosures of protected health information (PHI). Pursuant to the HITECH Act and its more general authority under HIPAA, HHS proposed to divide the Privacy Rule provisions related to an accounting into two separate individual rights: (1) an accounting and, (2) an access report.

With respect to an accounting, HHS proposes that individuals have a right to an accounting of disclosures of PHI in a designated record set made by a covered entity or a business associate: (i) for impermissible purposes, (ii) for public health activities, (iii) for judicial and administrative proceedings, (iv) for law enforcement purposes, (v) to avert a serious threat to health or safety, (vi) for military and veterans activities, and (vii) for workers compensation. The proposed compliance date for this provision is 180 days after the effective date of the final rule.

With respect to the access report, HHS proposes to provide individuals with the right to receive a report detailing who has accessed their electronic PHI in a designated record set maintained by a covered entity or its business associates. HHS proposes that covered entities and business associates provide individuals with a right to an access report beginning January 1, 2013, for electronic designated record set systems acquired after January 1, 2009, and beginning January 1, 2014 for electronic designated record set systems acquired as of January 1, 2009.

The proposed rule is posted here.

Comments are due in 60 days - August 1, 2011.

HHS Issues Notice of Proposed Rulemaking Regarding the HIPAA Privacy Rules Standard for Accounting of Disclosures Requirements

This post was written by Gina M. Cavalier, Vicky G. Gormanly and Brad M. Rostolsky.

Pursuant to the HITECH Act, covered entities and business associates must account for disclosures of PHI for treatment, payment and health care operations if the disclosures are through an electronic health record. This represents a significant change to the requirements under the current HIPAA Privacy Rule. The Department of Health and Human Services (HHS) will shortly publish a notice of proposed rulemaking to modify the Privacy Rule’s standard for accounting of disclosures of protected health information. An advance copy of the proposed rule is available here.

HHS proposes to expand the accounting requirements of the Privacy Rule to provide individuals with the right to receive an access report detailing who has accessed their electronic PHI in a designated record set. Accordingly, HHS proposes to revise an individual’s right to an accounting under the Privacy Rule by separately setting forth an individual’s right to (a) an accounting of disclosures and (2) an access report. HHS has also proposed other changes designed to improve the workability and effectiveness of the existing accounting of disclosures requirements.

 

Comments are due 60 days after the proposed rule is published in the Federal Register.

 

More to come...

HHS Announces First Ever Civil Money Penalty for Violations of HIPAA Privacy Rule

This post was written by Gina M. Cavalier.

Earlier today the Department of Health and Human Services' (HHS), Office for Civil Rights (OCR) announced the imposition of the first ever civil money penalty for violations of the HIPAA Privacy Rule. The penalty - which is $4.3 million - was assessed against Cignet Health of Prince Georges County, a health insurer. The underlying HIPAA violations include (1) failing to provide patients with access to their medical records, and (2) failing to cooperate with OCR's investigation into the failure to provide access. The HHS press release is available here.

To discuss this or any other HIPAA or data privacy/security issue, please contact Mark S. Melodia or Gina M. Cavalier.

New Jersey Seeks General Assistance Rebate Payments From Non-Participating Pharmaceutical Manufacturers

This post was written by Joseph W. Metro and  David E. Dopf .

The New Jersey Department of Human Services (“Department”) has sent letters to numerous pharmaceutical manufacturers demanding rebate payments under the Work First New Jersey General Public Assistance/Medicare Part D Wraparound Drug Rebate Program (“GA Rebate Program”). The Department is seeking to collect payments from manufacturers that have chosen not to participate in the GA Rebate Program and thus never entered into a GA Rebate Program agreement with the Department (“Rebate Agreement”). In addition, for some manufacturers that have entered into Rebate Agreements, the Department is now seeking payments for time periods prior to the effective dates of those Rebate Agreements.

The Department’s demand letters have uniformly provided the manufacturers with the option of requesting, within twenty (20) days from their receipt of the letter, either a pre-hearing conference for purposes of trying to resolve the payment dispute or a formal hearing before the New Jersey Office of Administrative Law (“OAL”). Manufacturers choosing to pursue a pre-hearing conference can still request a hearing before the OAL within twenty (20) days from the date of the pre-hearing conference if the dispute is not resolved.

We believe there are very strong arguments in support of the position that a manufacturer cannot be liable for payments under the GA Rebate Program in the absence of a Rebate Agreement covering the time period for which the payments relate. Please contact Joe Metro or David Dopf if you have any questions regarding the Department’s actions or would like assistance challenging the Department’s demand for payment.
 

Final HITECH Privacy and Security Rule Expected Soon

According to a senior health information technology and privacy specialist at HHS Office for Civil Right (OCR), regulations finalizing the July 14, 2010, proposed rule implementing many of the HITECH Act's privacy, security, and enforcement requirements could be published by the end of 2010 or in early 2011.   Additionally, OCR, developing a HITECH Act required "periodic audit" plan, which will be targeted to ensure that covered entities and business associates comply with the requirements of  the Privacy and Security Rules. 

We'll keep you posted as things progress . . .

Final Breach Notification Rule: HHS Back to the Drawing Board

The Department of Health and Human Services (HHS) has announced that its development of a Final Breach Notification Rule (currently, the rule is in interim final form) has been stalled, as the final rule was withdrawn from consideration of the Office of Management and Budget  in order for HHS to give further consideration to what the final rule should include.  HHS has remained relatively quiet regarding the development of a Final Breach Notification Rule, but has announced that it intends for a final rule to be published "in the coming months." 

New HITECH/HIPAA Proposed Rule Released Today

HHS has just released its proposed rule modifying the HIPAA Privacy, Security, and Enforcement Rules to implement the privacy, security, and certain enforcement provisions of subtitle D of the Health Information Technology for Economic and Clinical Health Act (Title XIII of the American Recovery and Reinvestment Act of 2009).  The advance version of the rule can be accessed here; the official version will be published July 14.  A press release should be available later this morning.

Pursuant to the announcement of the proposed rulemaking on the HHS Privacy website, the proposed modifications to the HIPAA Rules include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans. In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.

Importantly, HHS has stated that the new HIPAA regulations will not be enforced until 180 days after the final rule has become effective. Comments will be due on or about September 13, 2010.

More to come . . . 

Reed Smith Health Care Reform Review: The Affordable Care Act - Analysis and Implications for DMEPOS Suppliers

This post was written by Debra A. McCurdy

In April 2010, Reed Smith provided an extensive analysis of the recently-enacted health reform legislation, H.R. 3590, the Patient Protection and Affordable Care Act (PPACA), as amended by H.R. 4872, the Health Care and Education Reconciliation Act of 2010 (Reconciliation Act).  In this analysis, we concentrate on those provisions in the new law that will affect suppliers and manufacturers of durable medical equipment (DME), prosthetics, orthotics, and supplies (DMEPOS).

To read the full alert, click here.

Notes on the National Summit on Health Care Fraud

This post was written by Elizabeth Carder-Thompson.

Last week, in my capacity as president of the American Health Lawyers Association, I attended the first National Summit on Health Care Fraud, a joint undertaking by the U.S. Department of Health and Human Services and the U.S. Department of Justice. The conference brought together private sector leaders, law enforcement personnel, and health care experts as part of the Obama Administration’s coordinated effort to fight health care fraud. This was the first national gathering on health care fraud between law enforcement and the private and public sectors.

I.      Presentations and Trends

Leading the morning session, HHS Secretary Kathleen Sebelius vowed to “prevent, catch, and discourage fraudsters,” stating “Criminals – your days are numbered.” She promised an aggressive new fraud prevention focus, including enhanced Medicare Strike Force activities in a number of US cities, and continued coordinated, multi-agency initiatives under HEAT – the Health Care Fraud Prevention and Enforcement Action Team Secretary Sebelius also stated that, next week, the President’s budget likely will request an additional $1.7 billion in funding for fraud prevention and detection.

Attorney General Eric Holder disclosed that, in 2009, DOJ charged over 800 individuals in health care fraud cases, and obtained 580 convictions so far. DOJ also recovered billions of dollars in False Claims Act (qui tam) recoveries. He also promised that future fraud-busting efforts will include actively engaging the private sector (including Medicare beneficiaries recruited to serve on “Senior Medicare Patrols”), the insurance industry, and health care providers.

A panel comprised of representatives from CMS, FBI, OIG, DOJ, and others who have worked on what they call “the viral fraud cases in the Miami-Dade area” (i.e., spreading like a virus) told stories about the highly-aggressive and coordinated tactics and techniques they now employ. An Assistant United States Attorney who serves as the South Florida Health Fraud Coordinator, Luis Perez, said the days of prolonged subpoena productions, accountant analyses, extended research into cases, and deference to white collar defendants, are over: “We arrest everyone,” he said. His team of government agents and prosecutors seeks to bring the highest possible provable charges as offenses are committed, and then bring in additional evidence during the sentencing phase in order to seek upward adjustments under the Sentencing Guidelines to obtain maximum prison times.

The CEO of the Tufts Health Plan in Boston, James Roosevelt, highlighted anti-fraud tactics increasingly employed by private payers. For example, Tufts has hired Nick Messuri – formerly head of the Massachusetts Attorney General’s Medicaid Fraud Control Unit and a well-known, tough prosecutor in the state – as head of its antifraud group, which includes nine other attorneys. Tufts and other payers conduct their own clinical and other investigations relating to medical necessity, upcoding, miscoding, overutilization, outliers, illegal referrals, and more. Tufts currently has 128 open investigations, some of which are being conducted in cooperation with governmental entities to which it has made reports. 

II.      Investigative and Enforcement Predictions

During the afternoon, attendees were divided into discussion groups to consider such issues as effective law enforcement tactics, the role of states in fraud prevention, effective use of data, and more. A report on the break out-sessions will be published in the future, but some of the common themes I observed – and the future actions I predict – are as follows:

1) There will be heightened cooperation and more aggressive, coordinated enforcement in the public and private sectors to combat fraud, abuse, and waste. The main focus used to be Medicare fraud – now it is health care fraud across-the-board.

2) Increasingly, efforts will be directed at fraud and abuse prevention, and pre-payment scrutiny, rather than just focusing on “pay-and-chase” enforcement. CMS and private payers will be seeking to justify deviating from “prompt pay” requirements in the name of fraud and abuse prevention. A number of speakers commented that investment in health care fraud provides a multiple return – for DOJ, it was a $4 return for every dollar; for Tufts, a $7 return for every dollar; and for OIG, an $8 return for every dollar.

3) There will be increased attention paid to data coordination. Currently, Medicare, Medicaid, and private payers collect and maintain data in different ways, making utilization and other “pattern” comparisons difficult. This is going to change.

4) Governmental entities are directing their resources in a more data-driven and targeted way in order to identify fraudulent patterns. For example, they know that “fraudsters” who used to operate in Miami-Dade are moving up Route 95 into South Carolina and other states. Data shows that those who defrauded fee-for-service programs for a specific item or service, e.g., orthotics and diabetes supplies, are now moving to defraud Medicare Advantage plans. Providers sanctioned and excluded in one state are moving to another. Some of these schemes have worked in the past – but they will not in the future.

5) There will be greatly increased efforts to engage the general public – Medicare beneficiaries, their families, and others – in whistleblowing.

III.     What Does All of This Mean for the Future?

None of us committed to health care in America would countenance or want less than full punishment for “real” health care fraud. Unquestionably, many of the cases cited at the Summit fall in this category – billing for services not rendered, beneficiaries selling their Medicare numbers, false certifications by physicians for items of durable medical equipment, dental clinics pulling children’s teeth unnecessarily to obtain Medicaid payment, clinics billing for outmoded infusion therapy for HIV/AIDS patients, and more. I applaud aggressive and coordinated investigation and enforcement efforts to rid our system of these practices and their perpetrators, and the fraud-fighters in the government clearly are a very smart, very dedicated group 

I worry, however, that the zeal for health care fraud enforcement will inappropriately ensnare committed, compassionate health care providers, suppliers, and manufacturers. In our practice, we are increasingly seeing qui tam relators – whistleblowers – with dollar signs in their eyes, bringing questionable and even frivolous actions against their employers or former employers. We are seeing overburdened prosecutors taking years to make qui tam intervention decisions – while the relators continue to work and gather “data” at their employers’ places of business, to “support” their cases. 

I worry about Medicare contractors, eager to keep their contracts, trying a little too hard to prove to CMS that they are fraud-conscious. I have several supplier clients on 100% pre-pay Medicare review facing significant potential disallowances because a contractor decided for the first time to implement a technical Medicare manual provision about recording a specific date of service – when there is no question from the medical record that medically necessary, physician ordered, and readily documented services were in fact provided.

I worry about constitutional due process. One private insurance company representative at the Summit suggested that the government send announcements to all private payors when any qui tam cases are unsealed, so that the insurance companies can place “edits” on claims filed by the defendants, or at least pre-payment reviews – well before the case has been decided. I worry that the “arrest them all” enforcement mentality will harm the reputations and future livelihood of individuals not yet tried, who are later exonerated. 

There are no easy answers. At a minimum, though, in this rapidly-evolving investigative and enforcement environment, health care providers, suppliers, and manufacturers need to concentrate more than ever before on compliance. Moreover, their compliance efforts need to be real and not token ones, including comprehensive training, and internal auditing and monitoring with real consequences for employees and representatives falling short. The stakes are very high, and the so-called “radar screen” that companies used to joke about “flying under” now reaches all the way to the ground.

Reed Smith will continue to monitor developments with respect to health care fraud as the health care reform debate continues. In the interim, please contact Elizabeth Carder-Thompson in our Washington office if you have questions regarding this topic.

HHS Rule Implements HITECH Act Changes to HIPAA Enforcement

On Friday, October 30, 2009, the U.S. Department of Health and Human Services ("HHS") published an interim final rule and request for comments that implements certain HIPAA enforcement changes made pursuant to the HITECH ActConsistent with the provisions of the HITECH Act, the new rule amends the HIPAA enforcement regulations applicable to violations of each of HIPAA's Administrative Simplification Rules (i.e., Privacy Rule, Security Rule, Transactions and Code Sets Rules, Standard Unique Identifier for Employers (EIN Rule), and the Standard Unique identifier for Health Care Providers (NPI Rule)) by instituting the below categories of violations and tiered penalty scheme to HIPAA violations that occur on or after February 18, 2009. 

  • Unknown violations (i.e., if a person did not know and by exercising reasonable due diligence would not have known that a violation occurred): The penalty shall be at least $100 for each violation not to exceed $25,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
  • Violations due to reasonable cause and not to willful neglect: The penalty shall be at least $1,000 for each violation not to exceed $100,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
  • Violations due to willful neglect (and the violations have been corrected): The penalty shall be at least $10,000 for each violation not to exceed $250,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
  • Violations due to willful neglect (and the violations have not been corrected): The penalty shall be at least $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.

Furthermore, the interim final rule generally amends a covered entity's ability to employ an affirmative defense against an action seeking civil monetary penalties if (i) the covered entity did not have knowledge or constructive knowledge of the violation, and (ii) the violation was not due to reasonable cause and not willful neglect. HHS is also given the authority to waive a civil monetary penalty for violations due to reasonable cause and not willful neglect if the covered entity corrects the violation within 30 days of having knowledge that the violation occurred. 

Comments on this interim final rule will be considered if received by December 29, 2009.

White House Announces Funding for Medical Tort Reform Demonstration Projects

On September 17, 2009, the White House released a “Patient Safety and Medical Liability Reform Demonstration” Fact Sheet, which outlines a new $25 million Department of Health and Human Services initiative designed to help states and health care systems identify new models for managing medical liability claims. The three-pronged initiative will support competitive grants to states and health systems with a focus on the development, implementation and evaluation of alternatives to improve health care quality and patient safety while reducing medical liability.

The Funding Opportunity Announcement will be available within 30 days. The Agency for Healthcare Research and Quality will review applications and make award decisions in early 2010.

The evaluation of the initiative will be released publicly within 18 months of the end of the initiative. The evaluation will focus on short-term improvements in both patient safety and medical liability systems with an allowance for long-term assessment of improvements as well.