Category Archives: Medicaid Advocate
I have a guest blogger today – what an honor! Teresa Greenhill is the co-creator of MentalHealthforSeniors.com, which is dedicated to providing seniors with information on physical and mental fitness. Being a senior herself, Teresa, with some help from her granddaughter, manages the website as a way to keep her busy and help other seniors be active and happy in their golden years.
Teresa’s blog today is about Medicare consumers creating a “senior” business…make money as a senior! Think it can’t be done?? Read Teresa’s blog below.
Breaking Into the House-Flipping Business: A Guide for Seniors
House-flipping can be a lucrative and rewarding venture for seniors. Maybe you are a retiree looking for a second career. Maybe you’ve always wanted to get competitive in the world of real estate. Or maybe you’re just trying to stay occupied and active while bringing in a little extra cash. Whatever the case, if you’re considering trying your hand at house-flipping, here are some of the basics you should know.
Seniors tend to thrive in the field of real estate.
Success in real estate can hinge very much on how well you deal with people. And this is something that many seniors have become adept at, over the years. You’ve probably had your share of managing difficult personalities. You can often anticipate issues before they arise. And most importantly, your own life experience sets you up to empathize with what others may be going through. Individuals who are selling or buying a home will appreciate the chance to deal with someone who is competent and calm, and who understands their worries. The bonus for seniors is that the work is relatively undemanding and allows you to set your own schedule.
You don’t need to be a real estate agent.
You don’t need to train to be an agent, or be certified as an agent, in order to get into flipping houses. That doesn’t mean there aren’t benefits to getting your real estate agent’s license, however. As a licensed agent, you will save money on commissions. You will also have better and earlier access to real estate listings. And being educated in the ins and outs of home buying and selling will make the entire process run more smoothly for you.
You will need to start with a certain amount of funding.
House-flipping is not one of those fields you can leap into without preparation, and this includes financial preparation. Before you decide that house-flipping is right for you, check to see whether you are financially ready to make a good start. The biggest expense you will face is the acquisition cost, which will vary depending on location, the size of the property, and its condition. You will also have to deal with renovation expenses and property taxes. Other costs involved in house-flipping include utilities, inspections, permits, and closing costs. So yes, this is a field that is easier to break into if you have plenty of cash on hand. But seniors who don’t have much expendable income still may be able to get a bank or home equity loan to start off.
Should you buy fixer-uppers?
When going into house flipping, the idea is that you will sell a house for more than you spent on it – so, yes, some renovation is a given. But there’s a limit to how much renovation and repair is a good idea. Even a home that looks decent at first glance could have a host of problems including expensive issues pertaining to the foundation, the roof, or the structure itself. Look out for mold, asbestos, termite damage, and wiring problems. A good choice is a home that will benefit immensely from less expensive aesthetic updates such as a good paint job, new cabinets, or improved landscaping. Of course, much depends on how skilled you are at home renovations and repairs, yourself.
Will you have to hire employees?
If you plan on making this a business, you may want to bring on more permanent hires. Or you may prefer simply to deal with contractors. Either way, make sure you hire individuals or companies that have good reviews and are well regarded. Don’t forget that you will need to manage payroll, as soon as you start hiring others. So make sure anyone you bring on fills out the appropriate paperwork, and have an organized system for paying them promptly and correctly.
If you feel you have what it takes to succeed at – and enjoy – house-flipping, this may be the beginning of an exciting new phase in your life. Just be sure you are well informed, and sufficiently financially equipped to get your start safely. If you are a senior interested in real estate and also have legal questions pertaining to Medicaid or Medicare in the Raleigh area, contact Knicole C. Emanuel of Medicaid Law NC.
Today I want to discuss EHR – electronic health records and RAC audits. We all remember the government pushing providers into purchasing EHR. It’s known as the meaningful use (MU) program, which is now known as the Promoting Interoperability Programs. CMS initially provided 10 incentives to accelerate the adoption of EHRs to meet program requirements. Now, physicians who fail to participate in MU will receive a penalty in the form of reduced Medicare reimbursements, at a minimum. Multiple audits at a maximum. Physicians must use certified electronic health records technology (CEHRT) and demonstrate meaningful use through an attestation process at the end of each MU reporting period to avoid the penalty.
Audits for MU can equal tens of thousands of dollars. The monetary amount is not as high as other RAC audits for medical records. One of my clients is a pediatric facility in Georgia. His facility received an alleged overpayment of $34,000 for two of his physicians not meeting the meaningful use criteria 8 and 9. We were going to fight it, but the two physicians who were dinged had quit and would not testify positively on behalf of my client. Plus, attorneys’ fees would surpass the penalty. Criteria 8 and 9 constitute proving your consumer have email and actually open their emails to check their health care internet folders, which are ridiculous criteria.
On September 2, 2020, CMS published the Fiscal Year (FY) 2021 Medicare Hospital Inpatient Prospective Payment System (IPPS) for Acute Care Hospitals and Long-Term Care Hospital (LTCH) Prospective Payment System (PPS) Final Rule which included program requirements for calendar year (CY) 2021. In this final rule, CMS continued its advancement of EHR utilization, focusing on burden reduction, and improving interoperability, and patient access to health information.
Meaningful use’s not anticipated consequence is ramping up RAC audits. Many RAC auditors are using EHR to claim “copy and paste.” Obviously, the point of EHR is to morph all service notes into a certain standard-looking note. But standard-looking notes scream copy and paste to RAC auditors. Maybe RAC auditors haven’t digested meaningful use yet.
On August 2, 2021 CMS released the Fiscal Year (FY) 2022 Medicare Hospital Inpatient Prospective Payment System for Acute Care Hospitals and Long-term Care Hospital Prospective Payment System Final Rule. For more information on the proposed changes, visit the Federal Register.
COVID affected EHR audits too.
The deadline for eligible hospitals and critical access to submit a hardship exception application is September 1, 2021.
Today I pose a very important question for you. Do your participation contracts that you sign with Medicare/caid, MCOs, MACs – do they even matter? Are these boilerplate contracts worth the ink and the paper? The answer is yes and no. To the extent that the contracts are written aligned with the federal and State regulations, the contracts are enforceable. To the extent that the contracts violate the federal regulations, those clauses are unenforceable. The contract can even, at times, be more stringent or contain more limitations than the federal regulations. One thing is for sure, these contracts can be your worst enemy or your savior, depending on the clauses.
An Idaho client-provider of mine has been the victim of Optum-“black-hole-ism.” In this case, the “black-hole-ism” will save my client from paying $500k it does not owe. My client is the leading substance abuse (SA) provider in Idaho. Optum is managing Medicaid dollars, which makes it the Agent of the “single State agency,” the Department of Health of Idaho. 42 C.F.R. 431.10. See blog.
The Optum provider contract states that – “It is agreed that the parties knowingly and voluntarily waive any right to a Dispute if arbitration is not initiated within one year after the Dispute Date.” What a great clause. If only all contracts had this limiting clause.
In our dispute, Optum avers we owe $500k. The first demand we received was dated December 2018 for DOS 2016-2017. Notice Optum was timely back in 2018. That was when the client hired my team, and we submitted a rebuttal and initiated the informal appeal to Optum. Here’s where Optum gets sloppy. Months pass. A year passes. I hear crickets in the background. A year and a half passes. Who knows why Optum took a year and a half to respond? COVID happened. Black-hole-ism? Bureaucracy and red tape? Apathy? Ineptness?
Finally, we get a response in September 2020. We respond in October 2020. Our new response included a novel argument that was not included in the 2018 rebuttal. Our argument went something like: “Na Na Na Boo Boo, you’re too late per 7.1 Optum contract.” If we could have included a raspberry, we would done so.
Remember the clause? “It is agreed that the parties knowingly and voluntarily waive any right to a Dispute if arbitration is not initiated within one year after the Dispute Date.”
Well, 2020 is 3-4 years after the initial DOS at issue: 2016-2017. This time, the boilerplate contract is our friend.
Since there is also an arbitration clause, which is not your friend, we will be wholly dependent on an arbitrator to interpret the one-year, limiting clause as a logical, reasonable person. But I will be shocked if even an arbitrator doesn’t throw out this case with prejudice.
Today I want to talk about two ways to increase revenue merely by ensuring that your patients’ rights are met. We talk about providers being audited for their claims being regulatory compliant, but how about self-audits to increase your revenue? I like these kind of audits! I am calling these audits “Reverse RAC audits”. Let’s bring money in instead of reimbursements recouped.
You can protect yourself as a provider and increase revenue by remembering and litigating on behalf of your consumers’ rights. Plus, your patients will be eternally grateful for your advocacy. It is a win/win. The following are two, distinct ways to increase revenue and protect your consumers’ rights:
- Ensuring freedom of choice of provider; and
- Appealing denials on behalf of your consumers.
Freedom of choice of provider.
In a federal case in Indiana, we won an injunction based on the patients’ rights to access to care.
42 CFR § 431.51 – Free choice of providers states that “(b) State plan requirements. A State plan must provide as follows…:
(1) A beneficiary may obtain Medicaid services from any institution, agency, pharmacy, person, or organization that is –
(i) Qualified to furnish the services; and
(ii) Willing to furnish them to that particular beneficiary.
In Bader v. Wernert, MD, we successfully obtained an injunction enjoining the State of Indiana from terminating a health care facility. We sued on behalf of a geneticist – Dr. Bader – whose facility’s contract was terminated from the Medicaid program for cause. We sued Dr. Wernert in his official capacity as Secretary of the Indiana Family and Social Services Administration. Through litigation, we saved the facility’s Medicaid contract from being terminated based on the rights of the consumers. The consumers’ rights can come to the aid of the provider.
Keep in mind that some States’ Waivers for Medicaid include exceptions and limitations to the qualified and willing provider standard. There are also limits to waiving the freedom of choice of provider, as well.
Appealing consumers’ denials.
This is kind of a reverse RAC Audit. This is an easy way to increase revenue.
Under 42 CFR § 405.910 – Appointed representatives, a provider of services may appeal on behalf of the consumers. If you appeal on behalf of your consumers, the obvious benefit is that you could get reimbursed for the services rendered that were denied. You cannot charge a fee for the service; however, so please keep this in mind.
One of my clients currently has hired my team appealing all denials that are still viable under the statute of limitations. There are literally hundreds of denials.
Over the past few years, they had hundreds of consumers’ coverage get denied for one reason or the other. Allegedly not medically necessary or provider’s trainings weren’t conveyed to the auditors. In other words, most of the denials are egregiously wrong. Others are closer to call. Regardless these funds were all a huge lump of accounts’ receivables that was weighing down the accounting books.
Now, with the help of my team, little by little, claim by claim, we are chipping away at that accounts’ receivables. The receivables are decreasing just by appealing the consumers’ denials.
Changes of ownership of a facility can spur RAC, MAC, and MCO audits. In fact, federal regulations require disclosure of changes of ownership within 35 days after any change of ownership. 42 CFR 455.104. The regulations require disclosure, but there is no guidance regarding acceptance of said change of ownership. In other words what if your company undergoes a change in ownership and the MCO or MAC terminates the participation agreement because they don’t appreciate who the new owner is. The federal regulations also require disclosure of any convictions related to Medicaid. 42 CFR 455.106. In the particular case I am discussing, the MCO audited this company 10-15 times over two years. There seemed to be a personal vendetta, for whatever reason, against the company from higher-ups at the MCO.
Managed care can be tricky because, by definition, it removes the management of Medicaid and Medicare from the government agencies into these quasi-private/quasi-governmental agencies. I still think that managed care violates 42 CFR 410(e), the single state agency requirement that states that “The Medicaid agency may not delegate, to other than its own officials, the authority to supervise the plan or to develop or issue policies, rules, and regulations on program matters.” Despite my personal opinion, managed care is definitely the trend. To date, 40 States have managed care organizations (MCOs) to manage Medicaid.
This company is a behavioral health care provider, which provides substance abuse services, SAIOP, SACOT, PSR, OPT, urine tests; they run a Suboxone clinic, a laboratory, and a pharmacy. It also provides free/charitable transportation services to get the consumers to the facility without receiving any money in return. The CEO was accused of personal, tax fraud. He and his wife never submitted their own taxes; they relied on professionals. One, below-stellar accountant performed the companies’ taxes and the CEO’s personal taxes a few years ago. I am no tax expert, but apparently the problem was that he took no salary for two years while the facility was bringing in little profit. His wife is a physician, so they were able to sustain on one income. A lot of confusion later and multiple tax and criminal attorneys, CEO pled guilty to a personal tax plea. It is a Martha Stewart mistake, not a Bernie Madoff. The guilty plea was not germane to Medicaid.
Once the CEO pleads guilty to the personal plea, the newspaper publishes a story. The MCO first terminates the contract based on 42 CFR 455.106, which requires disclosure if – and the exact wording is important – “Has been convicted of a criminal offense related to that person’s involvement in any program under Medicare, Medicaid, or the Title XX services program since the inception of those programs.” This guilty plea was not related to Medicaid so the termination was erroneous.
Concurrently, in light of the CEO’s plea, he steps down and his wife who is also a medical physician steps in to transition as CEO to keep the company going. Obviously, a company is bigger than its CEO’s personal transgressions. 200 staff and hundreds of consumers relied on its viability as a company.
Once we argued that the personal guilty plea was not related to Medicaid, the MCO added the additional reason for termination – failing to disclose a change in ownership. A double whammy!
We were able to successfully file a preliminary injunction arguing that irreparable harm would ensue if the termination were upheld. We also argued that the terminations were erroneous. The Judge agreed in this case agreeing that a company is indeed bigger than its CEO’s transgressions.
We always think about audits involving medical records. But audits can also involve audits of corporate disclosures or nondisclosures of managerial issues. Audits of provider executive teams can be deadly to any company.
Terminations of provider agreements are always tricky because, most often, the MCO or MAC will argue that it can terminate the Medicaid/care contract at will. I disagree, first and foremost. See blog, “Property Rights.”
If a facility is terminated for cause, that reason better be accurate!
In this case, the CEO had no duty to disclose his personal, guilty plea per the regulations. Secondly, the MCOs’ assertion that it had no notice of the transfer of ownership was equally as disingenuous. The facility had been open and honest regarding the transition of the company to a new CEO. While no formal notice was ever provided, there was clear communication about the transition to/from the MCO.
Thus, we were successful in obtaining an injunction; thereby keeping the company viable.
Auditors are not lawyers. Some auditors do not even possess the clinical background of the services they are auditing. In this blog, I am concentrating on the lack of legal licenses. Because the standards to which auditors need to hold providers to are not only found in the Medicare Provider Manuals, regulations, NCDs and LCDs. Oh, no… To add even more spice to the spice cabinet, common law court cases also create and amend Medicare and Medicaid policies.
For example, the Jimmo v. Selebius settlement agreement dictates the standards for skilled nursing and skilled therapy in skilled nursing facilities, home health, and outpatient therapy settings and importantly holds that coverage does not turn on the presence or absence of a beneficiary’s potential for improvement.
The Jimmo settlement dictates that:
“Specifically, in accordance with the settlement agreement, the manual revisions clarify that coverage of skilled nursing and skilled therapy services in the skilled nursing facility (SNF), home health (HH), and outpatient therapy (OPT) settings “…does not turn on the presence or absence of a beneficiary’s potential for improvement, but rather on the beneficiary’s need for skilled care.” Skilled care may be necessary to improve a patient’s current condition, to maintain the patient’s current condition, or to prevent or slow further deterioration of the patient’s condition.”
This Jimmo standard – not requiring a potential for improvement – is essential for diseases that are lifelong and debilitating, like Multiple Sclerosis (“MS”). For beneficiaries suffering from MS, skilled therapy is essential to prevent regression.
I have reviewed numerous audits by UPICs, in particular, which have failed to follow the Jimmo settlement standard and denied 100% of my provider-client’s claims. 100%. All for failure to demonstrate potential for improvement for MS patients. It’s ludicrous until you stop and remember that auditors are not lawyers. This Jimmo standard is found in a settlement agreement from January 2013. While we will win on appeal, it costs providers money valuable money when auditors apply the wrong standards.
The amounts in controversy are generally high due to extrapolations, which is when the UPIC samples a low number of claims, determines an error rate and extrapolates that error rate across the universe. When the error rate is falsely 100%, the extrapolation tends to be high.
While an expectation of improvement could be a reasonable criterion to consider when evaluating, for example, a claim in which the goal of treatment is restoring a prior capability, Medicare policy has long recognized that there may also be specific instances where no improvement is expected but skilled care is, nevertheless, required in order to prevent or slow deterioration and maintain a beneficiary at the maximum practicable level of function. For example, in the regulations at 42 CFR 409.32(c), the level of care criteria for SNF coverage specify that the “. . . restoration potential of a patient is not the deciding factor in determining whether skilled services are needed. Even if full recovery or medical improvement is not possible, a patient may need skilled services to prevent further deterioration or preserve current capabilities.” The auditors should understand this and be trained on the proper standards. The Medicare statute and regulations have never supported the imposition of an “Improvement Standard” rule-of-thumb in determining whether skilled care is required to prevent or slow deterioration in a patient’s condition.
When you are audited by an auditor whether it be a RAC, MAC or UPIC, make sure the auditors are applying the correct standards. Remember, the auditors aren’t attorneys or doctors.
Happy 55th Medicare! Pres. Biden’s health care policies differ starkly from former Pres. Trump’s. I will discuss some of the key differences. The newest $1.9 trillion COVID bill passed February 27th. President Biden is sending a clear message for health care providers: His agenda includes expanding government-run, health insurance and increase oversight on it. In 2021, Medicare is celebrating its 55th year of providing health insurance. The program was first signed into law in 1965 and began offering coverage in 1966. That first year, 19 million Americans enrolled in Medicare for their health care coverage. As of 2019, more than 61 million Americans were enrolled in the program.
Along with multiple Executive Orders, Pres. Biden is clearly broadening the Affordable Care Act (“ACA”), Medicaid and Medicare programs. Indicating an emphasis on oversight, President Biden chose former California Attorney General Xavier Becerra to lead HHS. Becerra was a prosecutor and plans to bring his prosecutorial efforts to the nation’s health care. President Biden used executive action to reopen enrollment in ACA marketplaces, a step in his broader agenda to bolster the Act with a new optional government health plan.
For example, one of my personal, favorite issues that Pres. Biden will address is parity for Medicare coverage for medically necessary, oral health care. In fact, Medicare coverage extends to the treatment of all microbial infections except for those originating from the teeth or periodontium. There is simply no medical justification for this exclusion, especially in light of the broad agreement among health care providers that such care is integral to the medical management of numerous diseases and medical conditions.
The Biden administration has taken steps to roll back a controversial Trump-era rule that requires Medicaid beneficiaries to work in order to receive coverage. Two weeks ago, CMS sent letters to several states that received approval for a Section 1115 waiver – for Medicaid. CMS said it was beginning a process to determine whether to withdraw the approval. States that received a letter include Arizona, Arkansas, Georgia, Indiana, Nebraska, Ohio, South Carolina, Utah, and Wisconsin. The work requirement waivers that HHS approved at the end of the previous administration’s term may not survive the new presidency.
Post Payment Reviews—Recovery Audit Contractor (“RAC”) audits will increase during the Biden administration. The RAC program was created by the Medicare Prescription Drug, Improvement, and Modernization Act of 2003. As we all know, the RACs are responsible for identifying Medicare overpayments and underpayments and for highlighting common billing errors, trends, and other Medicare payment issues. In addition to collecting overpayments, the data generated from RAC audits allows CMS to make changes to prevent improper payments in the future. The RACs are paid on a contingency fee basis and, therefore, only receive payment when recovery is made. This creates overzealous auditors and, many times, inaccurate findings. In 2010, the Obama administration directed federal agencies to increase the use of auditing programs such as the RACs to help protect the integrity of the Medicare program. The RAC program is relatively low cost and high value for CMS. It is likely that the health care industry will see growth in this area under the Biden administration. To that end, the expansion of audits will not only be RAC auditors, but will include increased oversight by MACs, CERTs, UPICs, etc.
Telehealth audits will be a focus for Pres. Biden. With increased use of telehealth due to COVID, comes increased telehealth fraud, allegedly. On September 30, 2020, the inter-agency National Health Care Take Down Initiative announced that it charged hundreds of defendants ostensibly responsible for—among other things—$4.5 billion in false and fraudulent claims relating to telehealth advertisements and services. Unfortunately for telehealth, bad actors are prevalent and will spur on more and more oversight.
Both government-initiated litigation and qui tam suits appear set for continued growth in 2021. Health care fraud and abuse dominated 2020 federal False Claims Act (“FCA”) recoveries, with almost 85 percent of FCA proceeds derived from HHS. The increase of health care enforcement payouts reflects how important government paid health insurance is in America. Becerra’s incoming team is, in any case, expected to generally ramp up law enforcement activities—both to punish health care fraud and abuse and as an exercise of HHS’s policy-making authorities.
With more than $1 billion of FCA payouts in 2020 derived from federal Anti-Kickback Statute (“AKS”) settlements alone, HHS’s heavy reliance on the FCA because it is a strong statute with “big teeth,” i.e., penalties are harsh. For these same reasons, prosecutors and qui tam relators will likely continue to focus their efforts on AKS enforcement in the Biden administration, despite the recent regulatory carveouts from the AKS and an emerging legal challenge from drug manufacturers.
The individual mandate is back in. The last administration got rid of the individual mandate when former Pres. Trump signed the GOP tax bill into law in 2017. Pres. Biden will bring back the penalty for not being covered under health insurance under his plan. Since the individual mandate currently is not federal law, a Biden campaign official said that he would use a combination of Executive Orders to undo the changes.
In an effort to lower the skyrocketing costs of prescription drugs, Pres. Biden’s plan would repeal existing law that currently bans Medicare from negotiating lower prices with drug manufacturers. He would also limit price increases for all brand, biotech and generic drugs and launch prices for drugs that do not have competition.
Consumers would also be able to buy cheaper priced prescription drugs from other countries, which could help mobilize competition. And Biden would terminate their advertising tax break in an effort to also help lower costs.
In all, the Biden administration is expected to expand health care, medical, oral, and telehealth, while simultaneously policing health care providers for aberrant billing practices. My advice for providers: Be cognizant of your billing practices. You have an opportunity with this administration to increase revenue from government-paid services but do so compliantly.
Who knows that – regardless your innocence –the government can and will recoup your funds preemptively at the third level of Medicare appeals. This flies in the face of the elements of due process. However, courts have ruled that the redetermination and the reconsideration levels afford the providers enough due process, which entails notice and an opportunity to be heard. I am here to tell you – that is horse manure. The first two levels of a Medicare appeal are hoops to jump through in order to get to an independent tribunal – the administrative law judge (“ALJ”). The odds of winning at the 1st or 2nd level Medicare appeal is next to zilch, although often you can get the alleged amount reduced. The first level is before the same entity that found you owe the money. Auditors are normally not keen on overturning themselves. The second level is little better. The first time that you present to an independent tribunal is at the third level.
Between 2009 and 2014, the number of ALJ appeals increased more than 1,200 percent. And the government recoups all alleged overpayments before you ever get before an ALJ.
In a recent case, Sahara Health Care, Inc. v. Azar, 975 F.3d 523 (5th Cir. 2020), a home health care provider brought an action against Secretary of Department of Health and Human Services (“HHS”) and Administrator for the Centers for Medicare and Medicaid Services (“CMS”), asserting that its statutory and due process rights were violated and that defendants acted ultra vires by recouping approximately $2.4 million in Medicare overpayments without providing a timely ALJ hearing. HHS moved to dismiss, and the provider moved to amend, for a temporary restraining order (“TRO”) and preliminary injunction, and for an expedited hearing.
The case was thrown out, concluding that adequate process had been provided and that defendants had not exceeded statutory authority, and denied provider’s motion for injunctive relief and to amend. The provider appealed and lost again.
What’s the law?
Congress prohibited HHS from recouping payments during the first two stages of administrative review. 42 U.S.C. § 1395ff(f)(2)(A).
If repayment of an overpayment would constitute an “extreme hardship, as determined by the Secretary,” the agency “shall enter into a plan with the provider” for repayment “over a period of at least 60 months but … not longer than 5 years.” 42 U.S.C. § 1395ddd(f)(1)(A). That hardship safety valve has some exceptions that work against insolvent providers. If “the Secretary has reason to believe that the provider of services or supplier may file for bankruptcy or otherwise cease to do business or discontinue participation” in the Medicare program, then the extended repayment plan is off the table. 42 U.S.C. § 1395ddd(f)(1)(C)(i). A provider that ultimately succeeds in overturning an overpayment determination receives the wrongfully recouped payments with interest. 42 U.S.C. § 1395ddd(f)(2)(B). The government’s interest rate is high. If you do have to pay back the alleged overpayment prematurely, the silver lining is that you may receive extra money for your troubles.
The years-long back log, however, may dwindle. The agency has received a funding increase, and currently expects to clear the backlog by 2022. In fact, the Secretary is under a Mandamus Order requiring such a timetable.
A caveat regarding this grim news. This was in the Fifth Circuit. Other Courts disagree. The Fourth Circuit has held that providers do have property interests in Medicare reimbursements owed for services rendered, which is the correct holding. Of course, you have a property interest in your own money. An allegation of wrongdoing does not erase that property interest. The Fourth Circuit agrees with me.
By Ashley Thomson, Partner at Practus, LLP. A Virtual Law Firm.
On rare occasions a Court can issue an opinion that is so logical and on-point you want to stand up and cheer. Maybe you’re only cheering if you’re a HIPAA-nerd, like me. My name is Ashley and I work with Knicole. I was the assistant GC for Truman Medical Center for 17 years. As AGC at Truman, I was inundated with so many various issues.
Here’s what got me standing up in my home office as if Patrick Mahomes just threw a pass to Tyreek Hill and the KC Chiefs scored the winning touchdown in the Super Bowl—the 5th Circuit Court of Appeals held that a lost or stolen unencrypted device containing protected health information (“PHI”) does not automatically result in a violation of the HIPAA Disclosure Rule or Encryption Rule. If you want to do your own touchdown dance check out Univ. of Texas M.D. Anderson Cancer Ctr. v. United States Dep’t of Health & Human Servs., No. 19-60226, 2021 WL 127819, at *5 (5th Cir. Jan. 14, 2021).
Unless you’ve spent the last 20 years living under a rock, you are generally aware that HIPAA is a law that protects your health information from public disclosure. Most people don’t spell it correctly and even less people know what the acronym means. In 2009, HIPAA was supplemented with the HITECH Act. Together, these laws govern how health care providers handle your medical information and what to do if there is a breach of the information. HIPAA and HITECH’s implementing regulations (the “Regulations”) require all covered entities “implement a mechanism to encrypt” all PHI that is stored electronically. 45 C.F.R. Section 164.312(a)(2)(iv). Second, the Regulations prohibit unpermitted disclosure of PHI. 45 C.F.R. Sec. 164.502(a). These two regulations are referred to as the Encryption Rule and the Disclosure Rule respectively. These requirements are enforced by the Department of Health and Human Services (“HHS”) in conjunction with the Office for Civil Rights (“OCR”).
Whew, that was a quick history lesson. Now, back to the story.
In 2012 and 2013 MD Anderson Cancer Center (“MD Anderson”) had three (3) events happen involving unencrypted devices containing PHI. First, a laptop was stolen. Second, a thumb drive was lost during someone’s commute home. Third, a visiting researcher misplaced a thumb drive. Pursuant to the regulations, MD Anderson reported these events to HHS.
HHS concluded that MD Anderson violated the Regulations and imposed a fine over $4,000,000 (let me spell that out for you. . . FOUR MILLION DOLLARS).
You may be wondering, what in the world did they violate that would result in such an outrageous fine? So did MD Anderson!
MD Anderson threw its proverbial, red challenge flag and pursued its appeal rights and ended up, finally, in Federal Court where they succeeded on establishing that the mere loss of unencrypted PHI does not violate the Disclosure Rule and that the Encryption Rule does not require that a covered entity sit down and force each and every person to encrypt their devices.
Let’s look first at the Disclosure Rule. As a general rule, HIPAA prohibits the disclosure of PHI without permission from the patient. 45 C.F.R. Sec. 164.502(a). HIPAA defines disclosure as “the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.” 45 C.F.R. Sec. 164.103. Prior to reaching the 5th Circuit, MD Anderson had been told the mere fact that the unencrypted laptop and thumb drives were lost or stolen resulted in the conclusion the PHI had been improperly disclosed to someone outside of the covered entity. Thank goodness, the Court stepped in with the reasonable statement that many of us in the health care field have been saying for years. . . just because a device is lost or stolen doesn’t mean the PHI was improperly disclosed. “It defies reason to say an entity affirmatively acts to disclose information when someone steals it.” Univ. of Texas M.D. Anderson Cancer Ctr.,2021 WL 127819, at *5.
HHS claimed that it would be difficult for them to enforce the Disclosure Rule if it had to show that the PHI was disclosed to someone outside of the covered entity. Well, go complain to the referees HHS “that’s precisely the sort of policy argument that HHS could vet in a rulemaking proceeding. It’s not an acceptable basis for urging us to transmogrify the regulation HHS wrote into a broader one.” Id. And with that, the Court unceremoniously stated the obvious and provided some reason in the rather unreasonable world of HIPAA enforcement.
Next up? The Encryption Rule where HHS argued that MD Anderson’s desire to do more to encrypt their devices was an admission of non-compliance with the regulations. Not so fast, said the Court. The rule requires that a covered entity have a mechanism for the encryption PHI not that it implements an iron clad, hacker proof, 100% guaranteed encryption system. MD Anderson had an encryption mechanism which is enough to satisfy the regulation, even if HHS now “wishes it had written a different” regulation. Id.at *4.
I feel like this is the SUPERBOWL of HIPAA decisions. You may not be as excited about this opinion as I was. That’s ok. . . I’m a HIPAA and privacy nerd and I’m ok with that.
Let’s hope I have many touchdowns to stand up and celebrate on Sunday! Go Chiefs!
The legal fine print: As exciting as this opinion is, please remember that devices should be encrypted and PHI should be protected to the maximum extent possible. While this is a great decision, it doesn’t remove the obligation to comply with the Regulations.
 PHI contains 18 different identifiers. 42 C.F.R. § 164.514(a)(2)(i).
 It’s the Health Insurance Portability and Accountability Act of 1996.
 HITECH stands for the Health Information Technology for Economic and Clinical Health Act of 2009.
 Later, we can delve into what qualifies as a covered entity. Let’s just all agree that MD Anderson is a covered entity.
 This is a very simple overstatement, but it works for the purposes of this article.
 Let’s face it, most of these devices are lost or stolen and (1) never found or (2) thrown out as the thieves take what they really wanted . . . cold hard cash or credit cards. An old janky laptop or a random thumb drive is not at the top of the most wanted list for kleptomaniacs.