Pierce & Mandell, P.C.

11 Beacon Street, Suite 800
Boston, Massachusetts 02108-3002

Phone: (617) 720-2444
Fax: (617) 720-3693

Health and Dental Law

RSS Grab Health and Dental Law RSS Feed

Read William Mandell's Most Recent Article in Boston Bar Association's Health Law Reporter

Joseph Coupal - Wednesday, July 10, 2013

William M. Mandell who heads Pierce & Mandell’s Health Law Practice authored an article entitled: “Should I Tell Someone?” Permissible Disclosures by Massachusetts Health Providers and the Need for Greater Statutory Clarification which was  published in the Boston Bar Association's Health Law Reporter Summer 2013 edition.  To read this article, click here.

UPDATING BUSINESS ASSOCIATE AGREEMENTS TO COMPLY WITH NEW HIPAA CHANGES - Boston

Joseph Coupal - Monday, July 01, 2013

The federal HHS Office of Civil Rights recently adopted final HIPAA regulations covering a broad range of topics, to strengthen privacy and security protections for individual health information.  This blog is another in a series examining these new regulatory requirements.   

By Dean P. Nicastro, Esq.

The new HIPAA Final Rule for Privacy, Security, Enforcement and Breach Notification (adopted in January 2013) creates new obligations for Business Associate Agreements (“BAA”) between physicians, hospitals and other health care providers (“Covered Entities”), and those contractors who perform services for them involving the use or disclosure of Protected Health Information (“PHI”).

As was mentioned in a previous blog, HIPAA now defines “Business Associate” (“BA”) to include a BA’s subcontractors who create, receive, maintain or transmit PHI on the BA’ behalf.  The new Final Rule goes on to require that a BAA between a Covered Entity and its BA must require the BA to ensure that the BA’s subcontractors comply with HIPAA privacy and security requirements.  Effectively, and as a mandate, this means that the Covered Entity’s BA must have in place a separate BAA with the BA’s subcontractor.

HIPAA makes clear that the Covered Entity need not have a BAA in place directly with the BA’s subcontractor. However, the Final Rule puts the burden on the Covered Entity to arrange for subcontractor compliance, by requiring the BA to obtain compliance assurance from its subcontractor.  Thus, HIPAA BAA’s between health care providers and their servicing vendors need to be revised and updated to include these “downstream” subcontractor compliance obligations.

Care should be exercised when drafting the updating revisions: for example, the main BAA should require that the downstream BAA mirror the BA’s privacy and security obligations; additionally, it may be advisable to expressly disavow any relationship of agency between the Covered Entity and the subcontractor.

Finally, when updating a BAA template, it would be helpful to include language of compliance with Massachusetts law and regulations that protect the security and disposal of data that contains personal information, like names and social security or financial account numbers.  Massachusetts consumer regulations require that a service provider contract be in place with vendors who access such data, so it is a good idea to have the HIPAA BAA serve as such a contract as well.  

In general, the HIPAA Final Rule must be complied with by September 23, 2013.  The federal HHS Office of Civil Rights has posted some helpful sample language for BAAs on its website.

Please contact the health law professionals at Pierce & Mandell for additional information on this subject.

CMS and OIG Propose to Amend Stark and Anti-Kickback Rules for EHR Donations

Joseph Coupal - Wednesday, May 01, 2013
By Dean P. Nicastro

Last month, the Centers for Medicare & Medicaid Services (CMS) and the Office of Inspector General of the U.S. Department of Health and Human Services (OIG) proposed similar amendments to the Stark exception and to the Anti-Kickback safe harbor for the donation of electronic health records (EHR).  The current rules permit hospitals, group practices and other entities to donate technology-related items and services to physicians, to be used to create, maintain, transmit or receive EHR.  Highlights of the proposed changes:

  • Eliminate the requirement that EHR must include an electronic prescribing component or interface ability
  • Change the procedure for deeming EHR software “interoperable,” so as to follow the current certification process employed by the Office of National Coordinator for Health Information Technology (ONC); and eliminate the 12-month prior timeframe for certification
  • Postpone the EHR sunset from December 31, 2013 to December 31, 2016

The two agencies believe that “sufficient alternative policy drivers” exist to advance electronic prescribing, and that the ONC certification program (which certifies to any edition of EHR certification criteria that is identified in the regulatory definition applicable at time of donation) is consistent with the objective of ensuring that EHR products are certified to the current standard of interoperability when they are donated.  In addition, the sunset extension is thought needed in order to help achieve more widespread adoption of EHR in the healthcare industry (the December 31, 2016 date corresponds with the closing timetable for Medicare/Medicaid EHR incentive programs; the agencies even suggest an extension to December 31, 2021).

The agencies have invited comment on the proposed amendments through June 10, 2013.  Also, they seek comment on whether to limit the class of permitted donors, so as to exclude certain ancillary suppliers, such as lab companies, durable medical equipment suppliers and independent home health agencies, and on other suggestions for preventing “data and referral lock-in” and for encouraging the free exchange of data.

The proposed changes are contained in the April 10, 2013 Federal Register.  Please contact the health law professionals at Pierce & Mandell for additional information on this subject.

New HIPAA Limitations and Changes

Joseph Coupal - Monday, April 01, 2013

NEW HIPAA LIMITATIONS ON USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION AND REQUIRED CHANGES TO NOTICE OF PRIVACY PRACTICES AND POLICIES

(I)The United States Department of Health and Human Services Office of Civil Rights final modified HIPAA regulations under the HITECH Act are now in effect and health care providers must achieve compliance with all of the new requirements by September 23, 2013. This is one in a continuing series of blogs from Pierce & Mandell, P.C. describing some of the major changes health and dental practices, hospitals and other health care facilities must be following by that date.   

By Kate Auerbach, Esq., Rebecca Merrill, Esq.  and William Mandell, Esq.

Marketing.

The modified HIPAA Privacy Rule redefines ‘marketing’ and increases the limits on the use and disclosure of protected health information (“PHI”), including patient contact information, by health care providers to do marketing.

Previously, marketing was defined as communication about a product or service to encourage individuals to purchase or use the product or service. While providers previously had to obtain a patient’s written authorization before using or disclosing their contact information for marketing purposes, the HIPAA Privacy Rules has allowed for several broad exceptions to securing patient authorization, including any communication about products or services offered by the provider itself or that recommended alternative treatments.  

Under the modified Privacy Rule, starting on September 23, 2013, providers will now have to secure their patients’ written authorization in order to use their contact information for marketing about health-related products or services if the provider or its business associates receive any financial remuneration in exchange for making the marketing communication from or on behalf of the third party whose product or service is being described. The modified rule does include an exception for refill reminders or communications about a medication being prescribed as long as the only remuneration received is reasonably related to costs of making the communication (labor, supplies, & postage). For example, if a medical practice sent a mailing without advance patient authorization about a new medication on the market and received compensation the practice could violate HIPAA (such remuneration, however, could raise fraud and abuse compliance issues). However, if the practice sent information about refilling a prescription and was reimbursed for the cost of the mailing it would not need to secure written authorization from the recipient/patients.

Under the modified Privacy Rule, marketing authorization forms must disclose to the patients the remuneration received by the provider from the third party and must also state that the patient may revoke the authorization at any time.     

There are exceptions to this authorization requirement.   If a communication is made face-to-face by a practitioner to a patient or if a promotional gift of nominal value is given, then advance patient written authorization is not required.  Additionally, refill reminders, adherence reminders and delivery system instructions are allowed without pre-authorization, as long as the remuneration received is reasonably related to the cost of making the communications, and the provider does not make a profit.  

Fundraising.

The original HIPAA Privacy Rule allowed non-profit providers to use, or disclose to a business associate or an institutionally related foundation, specific types of information about patients for fundraising activities without advance authorization, including demographic information and dates of service.   

The modified Privacy Rule creates additional categories of PHI that can be used for targeted fundraising communications.  These categories include: (i) department of service (general department of treatment); (ii) treating physician information; (iii) outcome information, and (iv) health insurance status.  This expanded scope of permissible information flow for fundraising related uses and disclosures is intended to permit non-profit providers to develop more focused fundraising efforts to particular individuals.    

However, HIPAA now requires starting on September 23, 2013 that fundraising communications to patients include a clear and conspicuous opportunity for the patient to “opt out” of receiving further fundraising communications.  The opt-out method can be chosen by the provider but it must not cause an “undue” burden” to patients and they cannot be required to write letters to the provider in order to opt-out of having their PHI used for fundraising purposes. Once a patient elects to opt-out the provider is absolutely prohibited from sending any more fundraising communications.  Non-profit providers are also prohibited from conditioning treatment or payment on a patient’s choice not to receive fundraising communications.

Obviously, these new requirements and limitations imposed on providers that do fundraising will add to their administrative burden and cost as a result of the need to avail patients of an opt-out or opt-in system and to track and ensure properly targeted marketing to patients and their families.   

Sale of PHI.

The modified HIPAA Privacy Rule also prohibits the sale of PHI by a covered entity or business associate. “Sale” is defined as the receipt of remuneration, directly or indirectly, in exchange for PHI, without patient written authorization, unless the sale meets a specified exception.  

There are eight exceptions to this sale of PHI prohibition, which include: (1) for public health activities; (2) for research, where the only remuneration received by the covered entity is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose; (3) for treatment and payment purposes; (4) for the sale, transfer, merger or consolidation of all or part of the covered entity and related due diligence; (5) to or by a business associate, if the only remuneration is provided by the covered entity to the business associate for the performance of its contracted services; (6) providing an individual with access to his or her PHI; (7) for disclosures required by law; and, (8) for any other purpose permitted by and in accordance with the applicable requirements of the Privacy Rule, where the only remuneration received by the covered entity is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose, or a fee otherwise expressly permitted by other laws.

Modification to Notice of Privacy Practices and health Information Policies and Procedures

No later than September 23, 2013 all providers that are covered entities under HIPAA must modify their required HIPAA Notice of Privacy Practices (“NPP”) and Health Information Policies and Procedures to incorporate the above mentioned changes on the patient privacy rights as to the use and disclosure of their health and personal information for marketing, fundraising and sales purposes, as well as the other new rights established under the HIPAA modified Privacy Rule. These include:

  • Right to limit any use or disclosure of PHI for certain sales, marketing and fundraising purposes before granting written authorization
  • Right to restrict disclosure of PHI to a health plan when the patient opts to pay the provider in full directly out of pocket
  • Right to be informed by a provider or other covered entity of any breach of unsecured PHI
  • Right to obtain electronic copies of PHI
  • Any uses and disclosure of PHI for treatment, payment or operations not stated and described in the NPP may only be upon patient written authorization.
  • Any prior written authorization granted may always be revoked.

Providers should be moving forward now to update their NPPs and Policies to reflect the new requirements in the modified HIPAA Privacy Rule. Care should be taken in the drafting of the modified NPP as it will now dictate if written authorization is needed for certain uses an disclosures even beyond those otherwise required under more stringent applicable state privacy laws. The new form of the NPP does not have to be shared with existing patients. It only needs to be posted on the provider’s website and in prominent place in its office or facility and given to all new patients during their first encounter or admission starting no later than September 23, 2013.

Please feel free to contact the health law attorneys at Pierce & Mandell if you desire additional information on this subject.

New HIPAA Regulations Impact Health Care Providers and Business Associates - Boston, MA

Joseph Coupal - Monday, March 18, 2013
The federal HHS Office of Civil Rights recently adopted final HIPAA regulations covering a broad range of topics, to strengthen privacy and security protections for individual health information.  This blog is Part 1 in a series.   

By Dean P. Nicastro, Esq.

Business Associates.

The new HIPAA regulatory amendments make business associates directly liable for various requirements in the HIPAA Privacy and Security Rules.  In particular, the amendment to the general applicability provision at 45 C.F.R. §160.102(b) states: “Where provided, the standards, requirements, and implementation specifications [of HIPAA privacy and security] apply to a business associate.”  Similar language has been added for both the Security Rule and the Privacy Rule (including particularly with respect to the protected health information (PHI) of a covered entity) at 45 C.F.R. §164.104(b) and 45 C.F.R. §164.500(c).  In effect, this means that business associates must implement administrative, physical and technical safeguards, and implement and document reasonable and appropriate policies and procedures, to protect PHI and electronic PHI under both the Security Rule and the Privacy Rule.

The amendments go on to expand the definition of a “business associate.”  The term now includes Health Information Organizations, E-prescribing Gateways, personal health record providers, and, most significantly, subcontractors of a business associate that create, receive, maintain or transmit PHI on behalf of the latter.  A definition of “subcontractor” has also been inserted: "a person to whom a business associate delegates a function, activity or service.”  HIPAA obligations thus now reach downstream entities that access or handle PHI of the main covered entity.

Additionally, the amendments add business associates to the HIPAA Enforcement Rule, in order to implement the imposition of liability for civil money penalties (CMPs) upon business associates for various HIPAA violations.

The new rules for business associate compliance become effective on March 26, 2013, and must be complied with by September 23, 2013.  Existing business associate agreements that were compliant with pre-existing regulations are deemed compliant with the new rules until the earlier of September 22, 2014 or the date the agreement is renewed or modified on/after September 23, 2013.

HIPAA Enforcement Rule.

The HIPAA regulatory amendments also strengthen HIPAA enforcement:

  • Private Complaints - HHS will investigate complaints about non-compliance filed by private persons when preliminary review of facts indicates possible violation due to willful neglect
  • Compliance Reviews - HHS will conduct a compliance review when preliminary review of facts indicates possible violation due to willful neglect
  • resolution of such investigations or compliance reviews can result in the imposition of CMPs or a determination of no violation
  • HHS may, for criminal or civil law enforcement activities, share PHI obtained in an investigation or compliance review with other legally-permitted governmental agencies (including state attorneys general)
  • Covered entities liable for violations by their business associates, and vice versa
  • governed by federal common law of agency
  • Increased tiered CMP penalty structure for violations, that takes into account whether the covered entity or business associate would have known of the violation, whether the violation was due to willful neglect or reasonable cause, and was corrected within 30 days
  • HHS will determine CMP amounts, considering mitigating or aggravating factors
    • nature and extent of violation (number of affected individuals, time period)
  • nature and extent of harm (physical, financial, reputation, patient’s ability to obtain health care)
  • prior compliance/violations
  • financial condition
  • other matters as justice may require

Covered entities and their business associates should be moving forward now that these final rules have been issued to review and update their business associate agreement templates and compliance policies accordingly.

Please contact the health law attorneys at Pierce & Mandell for additional information on this subject.

Health Law Provider Alert: New Notice Requirement for Material Change to Provider Operations or Governance

Joseph Coupal - Friday, March 15, 2013
By: Rebecca Merrill, Esq.

Massachusetts hospitals and medical groups contemplating a proposed acquisition, integration or affiliation must be aware of a new governmental reporting mandate and cost/market based oversight unique to Massachusetts that has just gone into effect.

The Massachusetts Cost Containment Law, passed last year, establishes a new requirement that every Massachusetts provider and provider organization must submit notice at least 60 days in advance of any proposed “material change” to its operations or governance structure to (1) the Massachusetts Attorney General, (2) the Center for Health Information and Analysis (“CHIA”), and (3) the new Health Policy Commission (“HPC”) established under the 2012 Cost Containment Law.   

 “Provider” is defined as “any person, corporation, partnership, governmental unit, state institution or any other entity qualified under the laws of the commonwealth to perform or provide health care services.”   

“Provider organization” includes “any corporation, partnership, business trust, association or organized group of persons, which is in the business of health care delivery or management, whether incorporated or not that represents 1 or more health care providers in contracting with carriers for the payments of heath care services; provided, that ‘provider organization’ shall include, but not be limited to, physician organizations, physician-hospital organizations, independent practice associations, provider networks, accountable care organizations and any other organization that contracts with carriers for payment for health care services.”

The rather limited statutory definition of “Material Change” includes, but is not limited to:

  • Corporate mergers;
  • Acquisitions or affiliations of a provider or provider organization and a carrier;
  • Acquisitions of insolvent provider organizations; and
  • Mergers or acquisitions of provider organizations resulting in provider organization having near majority of market share in a given service or region.

HPC has been charged with adopting regulations for administering these notice and review requirements and for further defining key terms including “material change” and “non-material change.”  While the notice and market impact review regulations are presently being developed by HPC and have not yet been issued, HPC has just released some Interim Guidance.      

In the Interim Guidance HPC has clarified that the following events constitute a Material Change for notification purposes:

  • A Merger or affiliation with a carrier;
  • An Acquisition of or by a carrier;
  • A Merger with or by a hospital or a hospital system;
  • Any other acquisition, merger or affiliation with another provider or provider organization that would result in an increase in annual patient service revenue of the provider or provider organization of $10 million or more;
  • Any clinical affiliation with another provider or provider organization that has an annual patient service revenue of $25 million or more in the preceding fiscal year; and
  • Any formation of a partnership, joint venture, common entity, accountable care organization, or parent corporation created for the purpose of contracting on behalf of one or more provider or provider organizations.

HPC has announced that only those providers and provider organizations with at least $25 million in net patient service revenue in the preceding fiscal year that propose a Material Change to close after March 12, 2013 must file the notice. Acquisition targets with less than $25 million in net patient service revenue could still be party to a reportable proposed transaction if the acquiring provider is in excess of the reporting threshold. Also, all material changes completed on or before March 12, 2013, will not be subject to this notice requirement.

The intent of the new notice requirement and review process is to empower and enable the HPC to conduct cost and market impact reviews with the ultimate goal of improving the quality of care in Massachusetts while simultaneously reducing cost through increased collaboration, transparency and innovation.

In reaction to the rapidly evolving Massachusetts health care market, most hospitals and medical groups in Massachusetts are considering their affiliation and integration options and joining ACOs.  Not all considered ventures and initiatives will trigger the new notice of Material Change under the Interim Guidance, however, providers and their legal counsels must be aware of what types of proposed new relationships and transactions will trigger the required notices and review. These reviews are in addition to already required applicable reviews and approvals by federal and state agencies regarding licensure, DON, closure of facilities, Medicare and Mass Health participation, change in charitable status and anti-trust.  

The requisite Material Change notice must be submitted electronically at least 60 days in advance of the proposed material change. HPC will develop a notice template that will include instructions, definitions, and explanations for all requested information and the form will soon be available online at www.mass.gove/hpc. In the interim, providers and provider groups seeking to submit notice should request the form directly from HPC at HPC-Notice@state.ma.us.  

Stay tuned for developing regulations on Massachusetts Cost Containment Provider Material Change notice and reporting requirements for hospitals, other facilities, medical groups and health plans.  If you have questions about the reporting requirements or need assistance in evaluating affiliation and integration options or joining ACOs, health law attorneys at Pierce & Mandell, P.C., are here to assist you.

Dental Law - Dentists Participating In MassHealth Take Note! - Boston, MA Lawyers

Joseph Coupal - Wednesday, March 13, 2013
By: Kate L. Auerbach, Esq.

All dental providers that participate in MassHealth must understand that while they may code for the services they perform using the federally mandated American Dental Association’s (“ADA”) Code on Dental Procedures (the “Code”), MassHealth will look to 130 CMR 420.000 and 450.000 which contain the specific state regulations governing dental services. All dental providers participating in MassHealth must comply with MassHealth regulations, including but not limited to 130 CMR 420.000 and 450.000.

It is the dental provider’s responsibility to be attentive of any and all Massachusetts dental regulations, including MassHealth Transmittal Letters that will form the basis for what is or is not reimbursable.  Massachusetts State Auditor Suzanne Bump has been continually performing audits of the MassHealth dental system since 2010, and has put pressure on MassHealth to be a better job of screening claims for payments from dental providers.  Most recently, an audit focused on 19,274 claims of “detailed oral screenings.”  Based on the results of the audit, it seems there is confusion with the code for a “detailed oral screening” because many dental providers use D0160, which in the ADA’s description of services states is a “detailed and extensive problem focused evaluation [which] entails extensive diagnostic and cognitive modalities based on the findings of a comprehensive oral evaluation.”  The ADA guideline, found in the Code, contains no requirements that a MassHealth patient must be undergoing radiation treatment, chemotherapy or organ transplant in order for the provider to be reimbursed for rendering an extensive oral evaluation.  However, 130 CMR 420.456(B)(1) says it will pay for oral screenings for members that are “undergoing radiation treatment or chemotherapy,” and the State Auditor has declared that MassHealth wrongly reimbursed providers who were treating individuals who were not undergoing radiation or chemotherapy.

Massachusetts State Auditor Suzanne Bump’s office has sought refunds from dental providers to recover monies paid as a result of this discrepancy, requiring dental providers to defend themselves.  If dental professionals do not pay close attention to the specific MassHealth rules and regulations, then they may be subject to audits, claims for refunds, or even worse, penalties or civil and criminal prosecution and exclusion from the program.   MassHealth dental providers should never assume that they can perform a service simply because it meets their view of the standard of care or good clinical practice.  Rather, the services must fall into an acceptable Massachusetts policy as to what is reimbursable.  

Please contact the dental law professionals at Pierce & Mandell for further information.

Proposed Changes to Prescription Monitoring Program Would Affect Most Physicians

Joseph Coupal - Monday, February 25, 2013
By Dean P. Nicastro

Massachusetts’ new Prescription Monitoring Program (PMP) Law (Chapter 244 of the Acts of 2012) provides that practitioners who prescribe controlled substances (Schedules II-V) will be automatically registered as participants in the state’s PMP when they obtain or renew their Massachusetts controlled substance registration.  This provision took effect January 1, 2013, and the Massachusetts Department of Public Health (DPH), acting under the PMP Law’s mandate, has issued proposed amendments to its existing PMP regulations to implement the automatic participation requirement and associated provisions.

Highlights of these proposed amendments:

  • Effective January 1, 2013, all practitioners (physicians, dentists, podiatrists) who hold a Massachusetts Controlled Substance Registration (MCSR) are automatically granted authority to “utilize” the PMP
  • “utilize” is defined as accessing or reviewing a patient’s prescription history within the PMP
  • Practitioners must accept the Terms and Conditions of use of the PMP to complete a MCSR
  • PMP participants must utilize the PMP prior to seeing a “new patient” – compliance is met by reviewing the most recent 12-month prescription history of the “new patient”
  • “new patient” means an individual person who has not received any professional services from the participant within the previous 12 months
  • Attending physicians in a hospital or other inpatient facility are subject to this utilization requirement, but not other participants who provide care in the hospital/facility
  • Exceptions are carved out for when acute care is required so as not to result in patient harm, and for instances when the PMP is not reasonably possible to be utilized (e.g., technological or electrical failure)
  • PMP primary account holders may routinely request to delegate up to 2 authorized support staff to utilize the PMP on their behalf – the primary account holder is responsible for all delegate use of the PMP

The proposed regulatory amendments will be up for public hearing before the Public Health Council (PHC) on March 22, 2013.  DPH has stated that the goals of the proposed amendments are to: “(1) increase utilization of the PMP in order to provide prescribers and dispensers with additional information that can inform clinical decision making, and (2) better address the morbidity and mortality resulting from prescription drug misuse and abuse by identifying individuals in need of intervention or treatment.”  Because the proposed amendments will require physicians and other prescribing practitioners to check the PMP database when seeing “new patients,” testimony from organized medicine and other interested parties can be expected.  A final version of the regulations could be adopted as early as the PHC’s April 2013 meeting.

Pierce & Mandell P.C.’s health care lawyers are uniquely qualified to assist medical professionals in understanding, interpreting and complying with the latest PMP regulations. Contact us.

Mandatory Compliance and Ethics Programs for Nursing Homes

Joseph Coupal - Thursday, February 21, 2013
By: Rebecca J. Merrill, Esq.

Time is Running Out: March 23rd is the Deadline for Nursing Facilities to Implement Mandatory Compliance & Ethics Programs

On or before March 23, 2013, Medicare and/or Medicaid certified nursing facilities must have in operation a Compliance & Ethics Program that is effective in promoting quality of care and preventing and detecting criminal, civil and administrative violations under the Patient Protection and Affordable Care Act of 2010 (Pub. L. 111-148) (the “ACA”).  While the ACA clearly required the Secretary and Inspector General of the Department of Health and Human Services to issue regulations further defining the ACA Mandatory Compliance & Ethics program requirements by March, 23, 2012, no such regulations have been promulgated.  The lack of clarifying regulations, however, does not relieve nursing facilities of the statutory obligation to have in operation such a Compliance & Ethics Program. Fortunately, the Office of Inspector General has long been committed to guiding nursing facility providers in the development of voluntary compliance plans and such guidance is an excellent starting point for developing or reviewing and updating existing compliance programs and documents. See OIG Supplemental Compliance Program Guidance for Nursing Facilities, Sept. 2008; and OIG Original Compliance Program Guidance for Nursing Facilities, Mar. 2000.  

Section 6201 of the ACA also sets forth several critical elements that must be addressed in nursing facility compliance and ethics programs to meet the ACA mandate.  These elements include:

A. Established compliance standards and procedures to be followed by employees and other agents that are reasonably capable of reducing the prospect of criminal, civil, and administrative violations.

B. Assign overall responsibility for compliance oversight to specific individuals within high-level personnel of the organization to ensure adherence to compliance and ethics standards and procedures and provide such individuals with sufficient resources and authority to accomplish such compliance.

C. Use due care not to delegate substantial discretionary authority to individuals whom the organization knows, or should know, through the exercise of due diligence, had a propensity to engage in criminal, civil, and administrative violations.

D. Take steps to effectively communicate its compliance and ethics standards and procedures to all employees and organizational agents (e.g., require participation in training program; disseminate training materials that explain requirements in a practical manner).

E. Take reasonable steps to achieve compliance with its standards (e.g., utilize monitoring and auditing systems designed to detect criminal, civil, and administrative violations under the ACA by its employee and agents; employ and publicize a reporting system that enables employees and agents to report violations without fear of retribution).

F. Consistently enforce standards and procedures through appropriate disciplinary mechanisms, including, as appropriate, discipline of individuals responsible for the failure to detect an offense.

G. After an offense has been detected, take all reasonable steps to respond appropriately to the offense and prevent further offenses of a like nature (e.g., make necessary modifications to existing compliance and ethics program to better prevent and detect criminal, civil, and administrative violations).

H. Perform periodic reassessment of the existing compliance and ethics program to identify changes necessitated by organizational evolution and changes in public policy.  

All nursing facilities should undertake a comprehensive review of existing compliance and ethics policies, if any, and update or draft new policies to ensure that the facility meets the statutory requirements for the March 23, 2013, Mandatory Compliance & Ethics Programs for CMS Certified Nursing Facilities.  The Health Care Team at Pierce & Mandell, P.C. is equipped and prepared to assist your facility in developing or updating its compliance and ethics standards and procedures.  

Final Sunshine Act Rule on Disclosure of Gifts to Doctors and Hospitals

Joseph Coupal - Monday, February 18, 2013
by William M. Mandell

The Centers for Medicare and Medicaid Services (“CMS”) released its final Sunshine Rule on February 1. This Rule implements the federal open transparency system, passed as part of Affordable Care Act that requires manufacturers of drugs, devices, biological, and medical supplies covered by Medicare, Medicaid, or the Children's Health Insurance Program to report payments or other transfers of value made to physicians, dentists, podiatrists, optometrists, chiropractors, and teaching hospitals. CMS will post the reported data on a new federal public website which will “go live” by September, 2014 implementing the mandatory national reporting system intended to expand the transparency of industry relations with medicine.

Some highlights of the final Sunshine Rules include:

New Deadlines

Data collection will start on August 1, 2013 CMS said, noting that manufacturers will report the data for August through December of 2013 to CMS by March 31, 2014 and CMS will release the data on a public website by September 30, 2014. CMS is developing an electronic system to facilitate the reporting process.

Companies required to Collect Data and Report
 
The term “applicable manufacturer” has been defined quite broadly to include not only a company that manufactures drugs, devices, or biological or medical supply, but also companies that license the technology and distribute items. CMS, however, excluded pharmacies, in-house labs and manufacturers of raw materials or components from the Sunshine data collection and reporting requirements.

Content of Reports

Each report must disclose the form and nature of each payment by category, such as “food and beverage”, “speaking” or “research”.

Opportunity to Correct

Reporting companies and reported physician, practitioner and teaching hospital recipients will be able to review and correct the data provided in any reporting period during a specified 45 day period before it is posted on-line.

Exemption for CME Sponsorship Reporting

Support payments made by companies for CME programs and speakers are not subject to Sunshine reporting if certain requirements are meet, including proper program accreditation and the absence of company influence on content and speaker selection.

Research

The final rule simplified the scope of reporting of research payment over a broad range of pre-clinical and FDA phase research. As allowed under the ACA, publication of reported research payments related to new products are delayed for the sooner of four years or the FDA approval date. Payments for research on new applications of existing products may not be subject to delayed publication.

Preemption Of Existing State Laws

CMS is instructing drug and device companies subject to Sunshine reporting to continue to report under State or local disclosure laws “until the requirements under the Federal rule take effect.” This would appear to mean that companies can stop collecting data after July 31, 2013 that is now required to be collected and reported under the Massachusetts Pharmaceutical and Medical Device Manufacturer Code of Conduct. The Massachusetts Department of Public Health regulations governing the Massachusetts reporting requirements were amended last November to address federal preemption and state that no company is required to disclose information to Mass DPH that has already been disclosed to CMS pursuant to Sunshine reporting and that is then provided by CMS to DPH in annual reports. But, companies would presumably still need to file final Massachusetts reports to DPH for all pre-August 2013 data collected by the June 1, 2014 Massachusetts reporting deadline.  More guidance from Massachusetts DPH will hopefully be forth coming on this issue.

As expected, Sunshine preemption does not prohibit DPH, under the Massachusetts reporting law, from continuing to require reporting of information regarding payments or other transfers of value that are not required under the Sunshine Rule.

Violation and Compliance

Companies that fail to collect and report required data to CMS on payments to physicians and teaching hospitals can be fined up to $150,000 annually in civil penalties. Knowing failure to report can result in fines of up to $1 million annually, and the federal enforcement agencies (CMS and the HHS OIG) “reserve the right to audit, evaluate or inspect applicable manufacturers for their compliance with the reporting requirements.” Companies must maintain records for five years from the date of payment.

Future Trends for Massachusetts Physicians

Overall, the relaxation under Massachusetts law on meals in locations other than hospitals and medical offices, and the recent CMS implementation of broader Sunshine Act federal reporting on financial interactions with physicians and teaching hospitals, does bring the Massachusetts regulatory scheme on relationships with industry more in line with those applicable to physicians from other states. However, one thing is certain for all physicians across the U.S. –interactions with drug and device companies will become part of a comprehensive federal searchable on-line data base accessible by the public, including patients, journalists and enforcement agencies.

The health care legal team at Pierce & Mandell  is ready to assist doctors, hospitals, and drug and device companies to better understand and comply with the new requirements.


Enter your e-mail address below to receive updates on new blog posts!


Recent Posts


Archive


Tags