On January 10, New York’s Governor, Kathy Hochul, delivered the 2023 “State of the State” address. The address featured a number of health care reform initiatives—a strong indication that New York will prioritize health care issues and spending in the year ahead. Below is a summary of Governor Hochul’s big-ticket health care agenda items.

First, Governor Hochul outlined how New York plans to utilize its historic $20 billion, multi-year health care spending bill to build upon New York’s health care system in the following ways:

  • Establishing a “Commission on the Future of Health Care” to help guide New York’s strategic response to ongoing innovations in how New Yorkers pay for and deliver medical care given the shift to and adoption of digital, outpatient and in-the-home services;
  • Establishing a new capital grant fund for health care technology;
  • Reforming traveling nurse agency staffing practices to reduce health care spending and require staffing agencies to register and report operational data;
  • Expanding health care providers’ “scope of practice” by joining the Interstate Licensure Compact and the Nurse Licensure Compact; and
  • Streamlining approval processes for health care projects in New York, including the Certificate of Need process and steps to ensure that private sector health care transactions are financially sustainable and support quality and access to care objectives.

Second, Governor Hochul committed to improving access to, and the quality of, mental and behavioral health care. To achieve these goals, Governor Hochul proposed:

  • Expanding insurance coverage for mental health services by prohibiting insurance companies from denying access to medically necessary, high-need, acute, and crisis mental health services, and by adopting appointment availability and geographic accessibility standards for behavioral health services;
  • Expanding mental health services for school-aged children whose need for and access to mental health services were especially affected by pandemic-related school closures;
  • Increasing operational capacity for inpatient psychiatric treatment by 1,000 beds, including by requiring Article 28 community hospitals to make use of all of their existing beds and invest $27.5 million to support increased inpatient psych rates;
  • Improving mental health care coordination and planning by creating a system of accountability—from admission through discharge and post-acute care, including Critical Time Intervention Care Coordination Teams;
  • Dramatically expanding outpatient services with 12 new psychiatric emergency care sites and 40 new treatment teams, mobilized to reach the most at-risk New Yorkers and expanded certified community behavioral health clinics to provide walk-in integrated behavioral health care; and
  • Ensuring payment parity for behavioral health services rendered in-person or via telehealth.

Third, Governor Hochul’s administration plans to “strengthen the foundation” of New York’s health care system by:

  • Expanding Medicaid coverage for preventive health services and Medicaid’s buy-in program for New Yorkers with disabilities;
  • Protecting New Yorkers from burdensome medical debt and costs by preventing creditors’ attachment of homes and wages to secure medical debt, amending the Consumer Credit Fairness Act to cover medical debt, investing in medical debt literacy, and requiring hospitals to use a standard financial assistance application form;
  • Improving primary care by expanding access and increasing Medicaid reimbursement rates;
  • Ensuring access to high quality long-term care, including by investing in care teams to provide care for low-income adults in their home;
  • Revitalizing emergency medical services and medical transportation, including allowing EMTs to treat people out in the community; and
  • Supporting the ongoing collaboration between the Office of Addiction Services and Supports and the Department of Health in addressing the State’s substance abuse epidemic.

Finally, Governor Hochul emphasized the need for emergency preparedness. In the address, she explained how New York will prepare for future emergencies by:

  • Modernizing New York’s health reporting systems to be more secure in how it stores and transmits health data, and more efficient and effective in how it uses it;
  • Rebuilding the Wadsworth Laboratories to advance cutting edge research on biomedical and environmental issues critical to protecting the health of New Yorkers; and
  • Strengthening New York’s public health emergency readiness capacity in light of lessons learned during the COVID-19 pandemic.

The full State of the State book can be found here. Many of these proposals will be included in the Governor’s proposed budget, which is expected to be released around February 1, with final budget passage after Legislative review and negotiation around April 1.

Understanding the State’s health care policy and investment objectives is critical for health care businesses and stakeholders as they plan for and develop business goals for the year. The Firm’s Health Care team can assist with evaluating and implementing strategies to account for the forthcoming changes.

 

In recent years, there have been only a handful of corporate integrity agreements (“CIAs”) and integrity agreements (“IAs”) that have included a “conditional exclusion release” of the Office of the Inspector General for the United States Department of Health and Human Services’ (“HHS-OIG”) permissive exclusion authority under 42 U.S.C. § 1320a-7(b)(7) (“Permissive Exclusion Authority”).[1]  Inclusion of a conditional exclusion release is atypical, as HHS-OIG’s historical practice has been to provide an outright release of its Permissive Exclusion Authority in exchange for a CIA or IA.  It appears, based on an IA executed last month and the other recent CIAs and IAs, that a trend may be emerging.

Specifically, in December 2022, HHS-OIG entered into an IA with a Georgia-based physician, Aarti D. Pandya, M.D., and his practice, Aarti D. Pandya, M.D. P.C. (collectively, “Dr. Pandya”).  In atypical fashion, however, HHS-OIG required the IA to be for five years (as opposed to three years) and held Dr. Pandya to a conditional exclusion release contingent upon Dr. Pandya’s satisfactory completion of the IA (as opposed to outright providing a release of its Permissive Exclusion Authority).  This IA signals to the industry that HHS-OIG is not bound by precedent and that, perhaps, a belt and suspenders approach to resolving conduct allegedly violating the False Claims Act (“FCA”) may be emerging as HHS-OIG’s new norm.

Continue Reading Another Unique Integrity Agreement Signals a Trend towards HHS-OIG’s Comfort with a Belt and Suspenders

We previously noted that the regulations implementing the No Surprises Act (“NSA”) appeared to be inconsistent with the NSA because they seemed to establish the qualifying payment amount (“QPA”) as the appropriate payment amount to be used in arbitrations by certified IDR entities (viz. the regulation-established independent dispute resolution (“IDR”) process) between plans and providers, and that the United States District Court for the Eastern District of Texas (“Texas District Court”) vacated portions of the NSA regulations relating to the QPA for purposes of the IDR process.  The Federal government recently responded to the Texas District Court—by removing such portions of the NSA regulations.

Continue Reading The Saga of the No Surprises Act Continues to be … Surprising

The Centers for Medicare & Medicaid Services (“CMS”) recently published the proposed 2023 Physician Fee Schedule (“PFS”), which contains several important changes affecting Accountable Care Organizations (“ACOs”) that participate in the Medicare Shared Savings Program (“MSSP”), including a new Advanced Incentive Program. See Proposed 2023 PFS, 82 Fed. Reg. 45,860 (July 29, 2022).

ACOs enable health care providers to provide coordinated patient care to Medicare beneficiaries, and to share in the savings resulting from improved care. According to CMS, as of January 1, 2022, over 11 million Medicare beneficiaries receive care from 483 ACOs across the country. Id. at 46,093.

The proposed changes are intended to advance “growth, alignment, and equity,” and to “increase the percentage of people with Medicare in accountable care arrangements.” Id. at 46,093-94. Of note, and as described in a publication preceding the PFS, CMS proposed the changes to increase (i)  the number of beneficiaries assigned to MSSP ACOs; (ii) the number of higher spending populations in the program, since the change to regionally-adjusted benchmarks; and (iii) the representation of Black (or African American), Hispanic, Asian/Pacific Islander, and American Indian/Alaska Native beneficiaries assigned to MSSP ACOs, as compared to Non-Hispanic Whites.

Continue Reading CMS Aims to Grow ACO Participation

On July 20, 2022, the Office of Inspector General for the Department of Health and Human Services (“OIG”) issued a special fraud alert (“Alert”) advising “practitioners to exercise caution when entering into arrangements with purported telemedicine companies.” The Alert is only one of four such “special fraud alerts” that the OIG has issued in the past decade and it illustrates the importance of OIG’s statements.

OIG Flags Seven Characteristics of Telehealth Fraud

In the Alert, OIG cautions that certain companies that purport to provide telehealth, telemedicine, or telemarketing services (collectively, “Telemedicine Companies”) have carried out fraudulent schemes by: (i) aggressively recruiting physicians and non-physician practitioners (collectively, “Providers”) and (ii) paying kickbacks to such Providers in exchange for the ordering of unnecessary items or services, including durable medical equipment, genetic testing, and other prescription items. According to OIG, the fraudulent schemes have varied in design and operation and involved a variety of individuals, Providers, and health care vendors, including call centers, staffing companies, and marketers.

Continue Reading OIG Issues Special Fraud Alert Regarding Telemedicine Arrangements

On July 11, 2022, the Federal Trade Commission (FTC) published “Location, health, and other sensitive information: FTC committed to fully enforcing the law against illegal use and sharing of highly sensitive data,” on its Business Blog.  The blog post is likely related to an Executive Order (the “EO”) signed by President Biden in the wake of the Supreme Court’s Dobbs decision. Among other things, the EO directed the FTC to consider taking steps to protect consumers’ privacy when seeking information about and related to the provision of reproductive health care services.

While this latest drumbeat on this issue came from the FTC, we expect to see attention to this issue by other regulators, including, perhaps, the Department of Justice as well as state attorneys general.

Although the FTC post centers on location data and reproductive health services, it is likely that there will be more scrutiny of the collection and use of location data in general. This renewed focus will potentially subject a wide group of digital ecosystem participants to increased attention.  The spotlight will likely fall on interactive platforms, app publishers, software development kit (SDK) developers, data brokers and data analytics firms – over practices concerning the collection, sharing and perceived misuse of data generally.

The FTC blog post briefly explains the “opaque” world surrounding the collection of mobile location data (which the FTC asserts is often done without consumers’ full understanding) and the subsequent sharing and sale of information to data aggregators and brokers that then sell data access or data analysis products to marketers, researchers, or other businesses interested in gaining insights from alternative data sources. The post states that the misuse of mobile location and health information, including reproductive health data, “exposes consumers to significant harm.” As such, the FTC announced that it will “vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data.”  More concrete legal requirements covering the collection and use of mobile location data may come with the passage of a bipartisan federal comprehensive privacy bill, but passage of this bill remains uncertain.

The FTC’s blog post closes with a few guidance tips on what companies should be considering when collecting or using sensitive consumer information, including location and health data:

  • Sensitive data is protected by various federal and state laws. Such laws include the FTC Act which regulates unfair and deceptive trade practices, the Children’s Online Privacy Protection Act (COPPA) and various state data privacy laws.
  • Examine claims that data “has been anonymized.” The FTC states that firms making misleading claims about anonymization in this area may violate the FTC Act, “especially in the context of location data.”
  • The agency will bring enforcement actions for misuse of consumer data. The post outlines several recent enforcement actions over misuse of sensitive consumer data, including location data.

The FTC’s blog post is just the latest in an increasing level of attention to the collection of data from mobile devices. As we’ve previously written about, the issue of location data has already garnered attention in Congress, and it would not be surprising to see some state legislatures – a number of which have already passed or considered comprehensive data privacy laws – take up the issue. Companies collecting or using mobile location data should pay close attention to developments in this area.

Fifty years of legal precedent established by Roe v. Wade, 410 U.S. 113 (1973), and Planned Parenthood of Southern Pa. v. Casey, 505 U.S. 833 (1992), were overturned in Dobbs v. Jackson Women’s Health Organization, holding that the Constitution does not confer a right to abortion and leaving abortion laws to individual states to decide. This new landscape has introduced a wave of legal questions, and among these are questions regarding the protection of personal information related to abortion and contraceptive services. In efforts to address some of these privacy questions, the Office for Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) published new guidance with respect to the Health Information Portability and Accountability Act (HIPAA) Privacy Rule (“Privacy Rule”). The new HIPAA guidance generally reminds providers about their obligations under the Privacy Rule to safeguard patients’ protected health information (“PHI”), even under many circumstances where the information has been requested by government officials or in the context of litigation. In addition, recognizing the extent to which patient information is held on patients’ personal smartphones and not protected under HIPAA (e.g., data entered into personal health apps, search history related to abortion and other reproductive care, and geolocation data), yet may be relevant under new criminal and civil state abortion laws, HHS issued supplemental guidance to consumers on how to protect and secure personal information on phones and tablets that is not otherwise protected by HIPAA.

Under the Privacy Rule, disclosure of PHI without patient authorization is permitted only in “narrow circumstances”, and disclosure of PHI to law enforcement is limited based on the facts and the nature of the requests (e.g., court-ordered warrant, subpoena, or to prevent or lessen a “serious and imminent threat to health or safety.”)[1] The Privacy Rule expressly defers to a provider’s professional judgement in determining what constitutes a “serious and imminent threat”;[2] however, per the guidance, OCR has clarified that it is “inconsistent with professional standards of ethical conduct to make such a disclosure of PHI to law enforcement or others regarding an individual’s interest, intent, or prior experience with reproductive health care.”[3] Moreover, the “narrow circumstances” for disclosure include, but are not limited to, efforts to:

  • Comply with a court order, court-ordered warrant, subpoena, summons issued by a judicial officer, or a grand jury subpoena (45 CFR 164.512(f)(1)(ii)(A)-(B);
  • Respond to an administrative request[4] ((45 CFR 164.512(f)(1)(ii)(C));
  • Report PHI that a covered entity in good faith believes to be evidence of a crime that occurred on the covered entity’s premises (45 CFR 164.512(f)(5));
  • Respond to a request for PHI about a victim of a crime, and the victim agrees (45 CFR 164.512(f)(3)); and
  • Report PHI to law enforcement when required by law to do so (45 CFR 164.512(f)(1)(i)).

Thus, absent a court order, the Privacy Rule’s exceptions to disclose PHI for law enforcement purposes do not permit disclosure to law enforcement where a hospital or health care provider wishes to report an individual’s abortion or other reproductive health care. Thus, a hospital employee who suspects a patient of having an abortion in a state where it is illegal cannot report the planned abortion to law enforcement unless a state law specifically requires such reporting. HHS clarifies that a statement indicating an individual’s intent to get a legal abortion, or any other care tied to pregnancy loss, ectopic pregnancy, or other complications related to or involving a pregnancy does not qualify as a “serious and imminent threat to the health and safety” of a person or the public.[5] Disclosing such information to law enforcement under such circumstances would be impermissible and would constitute a breach of unsecured PHI, requiring notification to HHS and the individual affected.[6]

And, while the Privacy Rule generally does not protect the privacy or security of an individual’s health information when it is accessed through or stored on a personal cell phone or tablet, guidance released last week by HHS outlined how individuals can protect themselves. The Privacy Rule only applies when PHI is created, received, maintained, or transmitted by covered entities and business associates (e.g., health care providers and health insurers), and does not extend to protecting the privacy of an individual’s Internet search history, any information that one voluntarily shares online, or an individual’s geographic location information. Consequently, the guidance sheds light on the ways one can protect their digital footprint and decrease how devices collect and share health and personal information.

Moreover, in response to the Dobbs decision and increasing concerns that personal data will be used to incriminate people seeking abortions, Sen. Elizabeth Warren, supported by a slate of five Democratic senators, proposed the passing of the Health and Location Protection Act to bar “data brokers from selling or transferring location data and health data.” If approved, the bill would permit the Federal Trade Commission and states’ attorneys general to sue brokers found to be in violation of the law. Notably, the legislation would include exceptions for compliance with HIPAA.

The legislative and regulatory landscape addressing abortion and reproductive health services is certain to change in the near future as states respond to the Dobbs decision. As granted by Dobbs, states will now have the authority to enforce their own abortion rules, which creates an opportunity for widely varying state statutes, penalties, exceptions, circumstances, and a variety of other consequences across the country. Health care providers that provide a full spectrum of women’s health care services, including abortion, will need to review their policies and procedures to ensure compliance with state laws and to understand how the Dobbs decision affects the care they can provide to patients. Providers should be familiar with the new guidance to verify the circumstances under which HIPAA permits the disclosure of PHI without patient authorization.

Proskauer is available to assist with addressing the short- and long-term implications of the Dobbs decision in the wake of forthcoming regulatory changes.

[1] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html

[2] https://www.hhs.gov/hipaa/for-professionals/faq/3002/what-constitutes-serious-imminent-threat-that-would-permit-health-care-provider-disclose-phi-to-prevent-harm-patient-public-without-patients-authorization-permission/index.html

[3] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html

[4] Provided that: the information sought is relevant and material to a legitimate law enforcement inquiry; the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and de-identified information could not reasonably be used.

[5] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html

[6] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html

This past week, the Supreme Court of the United States (Supreme Court) denied UnitedHealthcare Insurance Company’s (UnitedHealthcare) petition for a writ of certiorari (Petition) challenging, in part, the Centers for Medicare & Medicaid Services’s (CMS) Overpayment Rule, which requires Medicare Advantage (MA) plans, such as UnitedHealthcare, to return identified “overpayments” to CMS within 60 days.  With this denial, the Overpayment Rule remains in full force and effect, and UnitedHealthcare, among other MA plans, must comply or potentially face False Claims Act (FCA) liability.

Continue Reading The Supreme Court Denies Petition Challenging CMS’s Overpayment Rule

The Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”), recently issued new regulatory guidance relating to covered entities’ HIPAA-compliant use of remote communication technologies for audio-only telehealth services. This guidance is a direct response to a December 2021 Executive Order that tasked HHS with developing HIPAA guidance for telehealth services, with the stated goals of improving “patient experience and convenience” as the COVID-19 public health emergency subsides. HHS has issued this guidance in anticipation of the national public health emergency ending, at which time OCR’s Telehealth Notification loses effect.

The new HIPAA guidance affects covered entities in four key ways.

Continue Reading HHS Issues HIPAA Guidance on Remote Communication Technologies for Audio-Only Telehealth

We previously discussed the requirements of the Hospital Price Transparency Rule (“Rule”) on health care providers and health plans, as well as CMS’s proposal to increase penalties for a hospital’s failure to comply with the Rule.  About a year and a half after the Rule became effective, CMS has now imposed its first set of civil monetary penalties (“CMPs”) on Northside Hospital Atlanta and Northside Hospital Cherokee, which have been fined $883,180 and $214,320, respectively.

The Rule requires, in part, hospitals to make public a machine-readable file containing a list of all standard charges for all items and services, such as, e.g., supplies, room and board, and use of the facility, among other items.  See 45 C.F.R. § 180.40(a); id. at § 180.20.  The Rule also requires hospitals to display shoppable services in a consumer-friendly manner.  See id. at § 180.60(d)(2); id. at § 180.60(b).  The goal of these specific requirements, in addition to those set forth in the remainder of the Rule, is to provide consumers with sufficient information about the charges for certain items and services by requiring health care providers and health plans to be publicly transparent about such charges.

Based on CMS’s CMP letters, dated June 7, 2022, Northside Hospital Atlanta and Northside Hospital Cherokee were non-compliant with the aforementioned specific requirements of the Rule.  The chronology of events is important to understand how CMS ended up issuing its CMP letters.

Continue Reading Health Care Providers on Alert: Two Hospitals Penalized for Continuous Noncompliance with the Hospital Price Transparency Rule