Anthem Pays OCR $16 Million in Record-Breaking HIPAA Data Breach Settlement

The Office of Civil Rights (OCR) announced in a press release this week that Anthem, Inc. (Anthem), one of the nation’s largest health benefit companies, has agreed to pay $16 million and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. This settlement is the largest in HIPAA-enforcement history, far exceeding the previous record of $5.5 million paid by Memorial Healthcare in 2017.

OCR investigated Anthem following its report that a series of cyber attacks in 2014 and 2015 resulted in theft of the electronic protected health information (ePHI) of nearly 79 million members of  its affiliated and other covered entity health plans. In addition to Anthem’s failure to implement sufficient safeguards to prevent and detect the inappropriate access to its systems, OCR also found that Anthem had:

  • Failed to conduct an enterprise-wide risk analysis
  • Insufficient procedures to regularly review records of information system activity
  • Failed to identify and respond to suspected or known security incidents
  • Failed to implement adequate minimum access controls to prevent unauthorized access to ePHI

A link to the Resolution Agreement between Anthem and OCR is available here.

It is not surprising that the largest HIPAA breach to date would result in the largest settlement to date, and this is a strong signal of this administration’s interest in leveraging its penalty authority to make an example of organizations that have large data breaches. Organizations of all sizes should take note, however.  While penalties are imposed in only a small fraction of the incidents reported to OCR, any significant data breach will result in an OCR investigation that may bring inadequacies of privacy and security safeguards to light.

If you have questions or concerns about your HIPAA compliance posture or your information security and governance plans, we are ready to help.

Oregon Declines to Follow New Federal AHP Regulations

The Oregon Division of Financial Regulation (the “Division”) recently issued a bulletin clarifying Oregon law and guidance applicable to association health plans (“AHPs”), which are multiple employer welfare arrangements (“MEWAs”) under ERISA. In Bulletin No. DFR 2018-07 (the “Bulletin”), the Division declined to adopt the more flexible criteria established by the recent U.S. Department of Labor (“DOL”) final regulation on AHPs (the “AHP Rule”).

The AHP Rule modified the definition of “employer” under ERISA to provide new options for small businesses and working owners to join together and be treated as a single large employer sponsor of a group health plan. AHPs are attractive to small employers who can then purchase health insurance without the additional requirements imposed on small groups under the Affordable Care Act. The DOL claims the AHP Rule will expand access to and lower the cost of insurance policies for small businesses. Opponents, including states such as Oregon, say the rule will destabilize the individual and small group market, increase fraud and abuse, decrease comprehensive health coverage, and result in higher health insurance costs overall. Oregon joined a coalition of states in a lawsuit filed this summer challenging the AHP Rule.

The AHP Rule does not modify or otherwise limit state insurance law or authority to regulate MEWAs; it also explicitly preserves the DOL’s pre-rule guidance used to determine whether an association is “bona fide” and should be recognized as a single employer under ERISA.  Given Oregon’s position on the AHP Rule, it is not surprising that the Bulletin indicates the Division will continue to enforce Oregon’s pre-rule guidance (see  Bulletin INS 2013-3) without modification  on the type of associations and MEWAs that may purchase or issue a health plan in Oregon.

The Bulletin provides a helpful summary of how associations can comply with Oregon requirements while reminding insurers, associations, MEWAs, agents, and producers that the Division would take action “for any failure to comply with or attempt to circumvent Oregon statutory or regulatory requirements with respect to health benefit plan coverage offered by or to an association.”

Ruling in the Eleventh Circuit Highlights Both the Breadth and Potential Limitations of AKS’s Employment Safe Harbor

Health care lawyers have long debated whether the AKS safe harbor provides full protection for employees who are paid to market a supplier’s services.  In Carrel v. AIDS Healthcare Foundation, 898 F.3d 1267 (Aug. 7, 2018), the Eleventh Circuit might have come a step closer to answering this question.  The Carrel court affirmed the dismissal of a False Claims Act suit against the AIDS Healthcare Foundation, Inc. (the “Foundation”), holding that the Anti-Kickback Statute (“AKS”) safe harbor for employment relationships protected bonuses the Foundation paid to employees who referred HIV/AIDS patients to the Foundation for treatment. The outcome of this case was unsurprising given the facts and relevant precedents in the Eleventh Circuit, but highlights an important potential limitation to the AKS’s employment safe harbor.

Carrel Put the Strict Terms of the Employment Safe Harbor to the Test

The AKS criminalizes knowingly and willfully offering, paying, soliciting, or receiving any remuneration to induce or reward referrals of items or services reimbursable by a federal health care program (e.g., Medicare or Medicaid). 42 U.S.C. § 1320a-7b(b). One of the most common AKS safe harbors protects “any amount paid by an employer to an employee (who has a bona fide employment relationship with such employer) for employment in the provision of covered items or services.” 42 U.S.C. § 1320a-7b(b)(3)(B). Regulations provide a parallel exemption for “any amount paid by an employer to an employee … for employment in the furnishing of any item or service for which payment may be made in whole or in part under Medicare, Medicaid, or other Federal health care programs.” 42 C.F.R. § 1001.952(i).

The plaintiffs in Carrel alleged that the Foundation violated the AKS by paying its employees bonuses for each HIV-positive individual they referred to the Foundation for treatment. Specifically, the Foundation had a contract with the State of Florida under which it conducted HIV testing. The contract (funded by the federal Ryan White Act) required the Foundation to refer clients with positive test results to health care providers for treatment, and compensated the Foundation for such referral services. In an apparent effort to incentivize these referrals, the Foundation offered cash bonuses to employees for each HIV-positive patients they successfully directed to the Foundation for follow-up medical care. The bonuses were allegedly not available if the patients received follow-up care from a provider that was not affiliated with the Foundation. Continue Reading

Welcome to Health Law Insider!

Welcome to Stoel Rives’ newest blog: Health Law Insider. Health Law Insider will provide insights from our team of experts on the full spectrum of legal issues that are shaping the health care industry, including data privacy and security, fraud and abuse, health care transactions, antitrust, taxation, and insurance regulation.

The health care delivery system is in the midst of a transformation. While the end state is unknown, it is almost certain to involve greater provider accountability for health outcomes, as well as increased reliance on data and technology. This blog will seek to inform those who are the agents of health delivery transformation about the ever-changing laws and regulations that govern the industry.

So please read on. We encourage you to subscribe for email updates and follow us on Twitter, Facebook or LinkedIn (see the sidebar on the right)

CMS Rule Extends Short-Term Health Insurance

On August 1, 2018, the Centers for Medicare & Medicaid Services issued a final rule that allows individuals to purchase short-term limited-duration health plans. Under the rule, short-term health plans can span an initial period of less than 12 months, with renewals and extensions capped at 36 months. Under the Affordable Care Act (“ACA”), lower-grade coverage options were restricted to three months without an option to renew and were typically used to bridge a coverage gap of a few months or less.

These short-duration health plans are not required to comply with ACA requirements around preexisting conditions or essential health benefits, and individuals can be denied coverage based on medical history. Insurers of short-term health plans can also choose not to cover categories of benefits, such as prescription drugs and substance use disorder treatment. Because these plans are not considered “qualifying health plans” under the ACA, individuals who purchase these plans in 2018 will owe a penalty for being uninsured (unless they qualify for an exemption). Beginning in 2019, purchasers of short-term health plans will face no penalty.

It is estimated that 200,000 individuals, mostly young beneficiaries, will exit the ACA exchange market under the rule, which could destabilize the ACA’s health insurance pools and raise premiums. The rule does not preempt states from imposing shorter limits on these plans, or banning the plans altogether, as Massachusetts, New Jersey, and New York have done.

Ninth Circuit Takes Broad View of What Is Required for a Licensee to Be “Independent”

On July, 23, 2018 a three-judge panel in the Ninth Circuit issued a decision in Obidi v. Wal-Mart Stores, Inc. (Case No. 17-55539), holding that a class-action suit against Wal-Mart and FirstSight Vision Services, Inc., a vision-only health care plan, can proceed on the theory that the defendants violated various California consumer protection laws by advertising “Independent Doctors of Optometry” that were, in fact, controlled by Wal-Mart and FirstSight. Though the decision is a narrow one (addressing only whether the plaintiffs have standing to sue), its reasoning could be relevant for how retail clinics and other corporate entities structure their relationships with physicians and other licensees to comply with state corporate practice of medicine (“CPOM”) rules.

Background of the Case

Wal-Mart stores across the country include on-site “Vision Centers” that offer basic eye exams, contacts, and prescription glasses. In California, Wal-Mart is registered as an optician and leases space in its stores to FirstSight, a licensed vision health plan. FirstSight, in turn, subleases this space to individual optometrists who charge patients directly. Wal-Mart and FirstSight advertised that the Vision Centers were staffed by “Independent Doctors of Optometry.” A former patient filed a putative class-action suit alleging Wal-Mart and FirstSight violated California’s Unfair Competition Law because (a) the defendants falsely advertised that the optometrists were “independent” and (b) the business arrangement between Wal-Mart and FirstSight was an unlawful relationship between an optometrist and an eyeglass retailer.

The plaintiff alleged that she would not have purchased an eye exam if she had known that the optometrist was not “independent.” The Ninth Circuit considered the key question to be whether the plaintiff had “adequately alleged that her optometrist lacked independence.” The court answered in the affirmative, relying on various provisions in the leasing arrangement that, as a whole, indicated that “Wal-Mart and FirstSight were able to exercise undue influence over all their resident optometrists.” Evidence of such “undue” influence included Wal-Mart “setting rent as a percentage of revenue, prescribing minimum operating hours, and permitting the lessor to terminate leases at will.” The court also noted that there was anecdotal evidence that optometrists at other Wal-Mart locations were constrained in the rates they could charge and the therapies they could recommend.

However, the Ninth Circuit affirmed the dismissal of the claims based on violations of California laws that prohibited, among other things, retailers from directly or indirectly employing or maintaining an optometrist in stores that sell eyewear. The court reasoned that the plaintiff “fail[ed] to establish how her injury was fairly traceable to the purported statutory violations.” Continue Reading

Health Care Consolidation: Keeping Patients in Mind

According to a recent report from the Health Research Institute at PricewaterhouseCoopers, there were 255 health care merger and acquisition deals in Q2 of 2018. Though this number represents an overall reduction in health care deals over Q1, as evidenced by CVS’s proposed $69 billion merger with Aetna and Cigna’s merger with Express Scripts, the broader trend toward consolidation in health care continues.

Given the potential benefits of consolidation, it is no surprise that merger and acquisition activity is on the rise. A study by Charles River Associates (involving interviews with executives from 20 different hospital systems) indicated that hospital mergers result in reduced costs of capital and clinical standardization, leading to a 2.5 percent reduction in annual operating expenses per admission at acquired hospitals. According to the study, the average annual operating expense of the merging hospitals in the study, approximately $235 million, implied a merger-related annual savings of $5.8 million at each hospital.

Though consolidation offers many benefits, questions remain about whether consolidation, at least in its current form, will lead to lower-cost care for patients. A study analyzing consolidation in California found that consumers in health care markets in Northern California, which are “considerably more concentrated” than Southern California, pay 20 to 30 percent more for medical procedures than residents in Southern California. Even after cost-of-living adjustments, the study found that residents are paying 32 percent more for inpatient care, 28 percent more for outpatient care, and nearly 10 percent more in premiums. Some wonder whether increasing patient costs in these concentrated markets are a sign of what is to come if consolidation continues; as large medical groups become the norm, will it become more difficult for insurance companies to negotiate lower rates? Continue Reading

Proposed Medicare E/M Payment Overhaul Draws Mixed Reviews

Touted as a major step in its efforts toward Medicare modernization, CMS issued a proposed Physician Fee Schedule rule on July 12, 2018 that would, in part, gut the current five-tier structure for Evaluation and Management (“E/M”) codes and collapse levels 2 through 5 down to one payment rate. The proposed payment overhaul, coupled with changes in the documentation required to support certain claims for reimbursement, is geared toward simplifying the Medicare billing rules and reducing the administrative burden for physicians so that they can focus on patient care.

E/M services comprise about 40% of the charges approved by Medicare under the physician fee schedule, with office visits representing half of that amount. Currently, documentation for these visits must comply with rigorous Documentation Guidelines that require a record of all clinically relevant information, as well as justification for medical necessity and appropriateness. There are five visit levels in each new patient and established patient E/M code family, and documentation must justify the code level being billed. Each visit level is tied to a different reimbursement rate reflecting different levels of service complexity and time spent.

The proposed rule would retain the existing CPT coding structure, but provide for a single, blended reimbursement rate for both new and established patients for outpatient E/M level 2 through 5 office visits. Add-on codes will be available to reflect additional resources involved in providing complex primary care and non-procedural services. The documentation standards for more complex office visits would be reduced to the amount required for a level 2 visit. While many providers would continue to document justification for higher levels of care, in part because of non-Medicare payers, CMS asserts that the change would provide immediate relief from the need to “audit against the visit levels.” The single work RVU for the collapsed office visit category would fall somewhere between the current level 2 and level 5 amounts. The following example is provided in the proposed rule:

Preliminary Comparison of Payment Rates for Office Visits, New Patients

HCPCS Code CY 2018 Non-facility
Payment Rate
CY 2018 Non-facility
Payment Rate under the
proposed methodology
99201 $45 $44
99202 $76 $135
99203 $110
99204 $167
99205 $211

Continue Reading

ACA Debate Intensifies Ahead of Midterm Elections

Ten Republican Senators have introduced a bill that they say will require health insurers to cover pre-existing conditions if the Affordable Care Act (“ACA”) is invalidated. Critics counter that the bill offers little actual protection. Like the ACA, it would prohibit insurers from denying enrollment based on pre-existing conditions, but unlike the ACA, it would not require insurers to cover the conditions themselves.

The bill is the latest volley in an ongoing battle over the fate of the ACA. Here are some key steps that set the stage:

  • The 2017 tax bill eliminated the ACA tax penalty on individuals who do not have health insurance, effective as of 2019. This is one of two elements that has brought more healthy people into the individual market; the other is subsidized plans for those in lower income brackets.
  • In April 2018, CMS and HHS issued a rule permitting states to establish the levels of coverage insurers must offer in their health plans. Federal law no longer requires insurers to cover all of the ACA’s “essential health benefits.”
  • This month, hearings in Texas v. United States begin. A group of 20 states will argue that the tax penalty is a constitutional linchpin of the ACA, without which the law is invalid. The states also are asking for a preliminary injunction to halt operation of the ACA while the case is litigated. Seventeen states have filed an opposing motion.
  • The Justice Department is not defending the ACA in the Texas case. It has suggested that without the tax penalty, some parts of the ACA may still be valid, but the individual mandate, the pre-existing condition coverage requirement, and the prohibition on charging higher premiums based on medical history are not.

Continue Reading

LexBlog