Health Law Alert

OIG November 2017 Work Plan Update

The OIG added four items to its Work Plan with the November 2017 update, as listed on the chart below. Interestingly, three of the four new items relate to Medicaid. Hot topics include prescriptions for extreme amounts of opioids and Medicaid’s use of telemedicine. Hospitals will want to know that the OIG is looking into hospital inpatient billing for severe malnutrition. Below are brief descriptions of the four new items.

Following a trend from the previous two Work Plan updates and consistent with the government’s growing focus on the opioid crisis, the OIG will be examining prescriptions for extreme amounts of opioids to Medicaid beneficiaries. The OIG observes that Medicaid beneficiaries, particularly those on disability, are more susceptible to opioid abuse because they are more likely to have conditions that require pain relief. The OIG intends to look at the issue from both the beneficiary side and the prescriber side. The overall goal of the study is to generate “baseline data about beneficiaries receiving extreme amounts of opioids and prescribers with questionable patterns for opioids in Medicaid.”

Authored by: Michaela D. Poizner,


OIG Advisory Opinion 17-06: Another Medigap/PHO Arrangement Approved

Advisory Opinion 17-06 joins a long list of opinions approving arrangements between a Medicare Supplemental Health Insurance (Medigap) insurer and a preferred hospital organization (PHO). While this advisory opinion does not offer new insights with respect to Medigap/PHO arrangements, the OIG has remained consistent in its approach to them.

As with prior similar requests, the Medigap insurer here sought approval of an agreement in which it would contract with a PHO, and the hospitals within the PHO’s network would provide discounts of up to 100 percent on the Medicare Part A inpatient hospital deductibles covered by the insurer. The hospitals would not provide any additional benefits to the Medigap insurer or its policyholders, and the insurer would pay a fee to the PHO for administrative services each time it received a discount. The Medigap insurer would also return a portion of the savings to those policyholders who had an inpatient stay at a network hospital via a $100 credit toward their next renewal premium. The use of non-network hospitals would not subject policyholders to penalties or otherwise affect liability for costs covered by the Medigap plans.

Authored by: Andrew J. Droke,


“Breaking Bad” News: Sharing PHI During Opioid Crisis

In response to President Trump’s declaration of the opioid crisis as a public health emergency, the Office for Civil Rights (OCR) released guidance intended to educate health care providers on how they can respond to requests for protected health information (PHI) during an opioid crisis. OCR’s guidance does not reveal any new or revised standards for disclosure of PHI, but rather it instructs health care providers on how existing HIPAA rules apply to sharing PHI with a patient’s family members, close friends or legal representative during a crisis situation, such as an opioid overdose.

The guidance illustrates how PHI may be shared without the patient’s consent in an opioid crisis, but the prevailing HIPAA rules permit disclosure of PHI any time the criteria noted below are satisfied. Specifically, providers may share PHI:

  • with a patient’s family, and close friends when doing so is in the best interests of an incapacitated or unconscious patient; and
  • when doing so would prevent or diminish a serious and imminent threat to the patient’s health and safety.

Authored by: Ashley L. Thomas,
Reviewed by: Tracy E. Weir,


Physician Practice Penalized by DOJ for 60-Day Overpayment Rule Violation

The Department of Justice (DOJ) imposed False Claims Act penalties against First Coast Cardiovascular Institute (FCCI) for failing to work credit balances and repay overpayments to federal health care programs. On October 13, 2017, DOJ announced that FCCI agreed to pay $448,821 to resolve False Claims Act allegations brought by a former employee of FCCI. The qui tam lawsuit alleged that FCCI wrongfully delayed repayment of approximately $175,000 in potential overpayments to federal health care programs beyond 60 days. This settlement represents a warning to providers who intentionally drag their feet in the face of a potential overpayment, and fail to diligently investigate and repay monies owed to federal health care programs.  Authored by: Stewart W. Kameen,

Reviewed by: William T. Mathias, 410.862.1067,


Webinar | LTC Disaster Readiness: How Your Facility Can Prepare, Respond, and Recover

As recovery efforts take center stage in areas affected by natural disasters that have recently impacted our nation, it is critical that the long term care industry is aware of the unique issues presented by these events.

This webinar covers the regulatory framework relevant to this industry, including new requirements that went into effect on November 15, 2017, as well as additional changes sometimes implemented post-event, and the rules and requirements specifically applicable to entities who may be eligible for aid through federally funded relief programs, including those administered through the Federal Emergency Management Agency. The session concludes with recommendations for disaster response and preparedness, including a summary of common issues and best practices to minimize risks. Presented by Baker Donelson attorneys Ernest B. Abbott, Wendy Huff Ellard, Meredith N. Larson, and Danielle Trostorff.

View the webinar here.

Co-Chairs, Health Care Regulatory Group

Jonell B. Beeler
Catherine A. Martin

HBMA GR Update

Summary of 2018 MACRA Final Rule
On November 2, 2017,the Centers for Medicare and Medicaid Services (CMS) released the final rule for the 2018 reporting year/2020 payment year for the Medicare Quality Payment Program (QPP). The final rule kept most of what was included in the proposed rule however CMS made several important modifications to some of its proposals. Below, is a summary of the 2018 QPP reporting year as finalized by CMS as well as how the final policies compared to HBMA’s comments on the proposed rule.

Updates to the Merit-based Incentive Payment System (MIPS)   Benchmark Composite Performance Score (CPS) for Second Transition Year
CMS is finalizing an increase to the benchmark CPS to 15 points for 2018. The benchmark CPS is the score Eligible Clinicians (EC) must achieve to avoid the negative payment adjustments under MIPS. For 2018, ECs who fail to reach the benchmark CPS will receive a five percent downward adjustment to their 2020 Medicare Part B payments. The benchmark CPS score is three points for the 2017 reporting year.   The exceptional performance threshold for qualifying for additional bonus payments is 70 CPS points.   CMS is also finalizing its proposal to make the 2018 reporting year a transition year similar to the 2017 reporting year. ECs will be able to “pick their pace” for participating meaning they do not need to participate in every reporting category for an entire year to avoid negative payment adjustments. As long as an EC earns a CPS of 15, they will avoid negative payment adjustments.   HBMA supported the benchmark score of 15 and maintaining the pick your pace flexibility in the 2018 reporting year.

Read the full summary online to review:

  • Low-Volume Threshold
  • Non-Patient Facing Threahold
  • Reweighting of Resource Use (Cost) Performance Category
  • Delaying Multiple Submission Methods for MIPS Reporting
  • Other Adjustments for CPS
  • Feedback Reports
  • Virtual Groups
  • Quality Performance Category
  • Advancing Care Information (ACI) Category
  • Additions to Clinical Practice Improvement Activity (CPIA) List

Updates for Advanced Alternative Payment Model (Advanced APM)Participation
ECs can be exempt from MIPS if they participate in Advanced Alternative Payment Models (Advanced APM). ECs can either be full or partial participants. Both designations guarantee an exemption from MIPS reporting and payment adjustments. Fully qualifying participants (QP) are eligible for a five percent lump sum bonus payment in 2020 based on their 2019 Medicare Part B revenue.  There are three components of Advanced APMs, the Advanced APM model, such as the Medicare Shared Savings Program (MSSP), the Advanced APM Entity, such as XYZ Health System’s Accountable Care Organization (ACO), and finally the Advanced APM participants who are the individual ECs or groups participating in an Advanced APM. The final rule sets the requirements for all three of these components.


2018 Medicare Physician Fee Schedule Final Rule Summary
On November 2, 2017, the Centers for Medicare and Medicaid Services (CMS) issued the 2018 Medicare Physician Fee Schedule (MPFS) final rule. This regulation finalizes changes in payment rates for Medicare services covered under the MPFS and sets other Medicare payment policies. CMS finalized many of the recommendations HBMA made in our comments to CMS on the proposed rule. Below is a summary of what CMS finalized and how these policies compare to what HBMA recommended.

Update to the MPFS Conversion Factor (CF)
For 2018, CMS is finalizing a 0.41 percent increase to the MPFS Conversion Factor (CF). The 2018 CF will be $35.99, up from $35.89 in 2017. This update reflects the 0.50 percent update established under the Medicare Access and CHIP Reauthorization Act (MACRA) of 2015, reduced by 0.09 percent, due to the misvalued code target recapture amount, required under the Achieving a Better Life Experience (ABLE) Act of 2014.

Appropriate Use Criteria for Advanced Diagnostic Imaging
The MPFS finalizes a delay in when CMS will require ordering professionals to consult clinical decision support mechanisms (CDSM) that incorporate approved Appropriate Use Criteria (AUC) for advanced imaging procedures. CMS will not require ordering professionals to consult CDSM until 2020. CMS will allow voluntary reporting beginning July 2018 through the end of 2019.  Although ordering professionals would be required to start using AUCs and reporting this information on their claims in 2020, CMS is proposing to pay claims for advanced diagnostic imaging services regardless of whether the claim correctly includes the required information on which AUC was consulted. This is intended to help providers adjust to this new policy. CMS will include an education component during this first required reporting year.  HBMA supported this delay but also called for substantial changes to way this policy is designed. Specifically, HBMA expressed concern over the fact that the furnishing provider’s payments are affected by something required of the ordering provider. CMS did not adopt these recommendations. HBMA will continue to advocate for a better system for reporting AUC consultation.

Read the full summary online to review:

  • Site Neutral Payments for “Nonexcepted” Off-campus Provider-based Hospital Departments
  • Updating Evaluation and Management Coding Guidelines
  • Changes to 2016 Quality Reporting
  • Medicare Telehealth Services
  • Patient Relationship Codes
  • Transition from Traditional X-Ray Imaging to Digital Radiography


Peer Review Not Protected: U.S. Supreme Court Will Not Disturb Florida Decision Limiting the Patient Safety and Quality Improvement Act

By Alisa L. Chestler, CIPP/US and Andrew J. Droke

A multi-year discovery dispute regarding the adverse medical incident reports of a Jacksonville, Florida hospital concluded on October 2, 2017 when the United States Supreme Court denied a petition for a writ of certiorari in Southern Baptist Hospital of Florida, Inc. v. Charles. Because the Supreme Court declined to hear the case, the Supreme Court of Florida’s January 2017 decision will continue to limit the protections afforded to certain peer review activities under the federal Patient Safety and Quality Improvement Act (PSQIA).

Health care providers that collect and report information to patient safety organizations (PSOs) should perform a detailed review of their patient safety evaluation (PSE) systems, as reporting systems may require restructuring to ensure that the privileges afforded by PSQIA will apply.

The Patient Safety and Quality Improvement Act vs. Florida Constitution Amendment 7

PSQIA was enacted in 2005 with the goal of improving patient safety and health care quality by establishing a voluntary, confidential, and non-punitive system for the reporting of medical errors and near-miss data. The free-flow of information was intended to improve patient outcomes. As a result, providers, facilities, and health systems have established PSE systems to collect and report data to PSOs, which then aggregate, analyze, and use the information to help minimize medical risk by providing feedback and assistance.

Recognizing that the collection and reporting of this data also presents the potential for increased liability exposure, Congress established a statutory privilege for “patient safety work product,” which generally includes “any data, reports, records, memoranda, analyses (such as root cause analyses), or written or oral statements” created for or supplied to a PSO.

In contrast, in 2004, Florida adopted a constitutional amendment commonly referred to as “Amendment 7,” which established a state-wide right of access to the adverse medical incident records of health care providers. Because of the breadth of this provision, Amendment 7 has frequently been relied upon by plaintiffs in medical malpractice litigation to collect records from defendant providers.

The conflict between the confidentiality afforded by PSQIA and the access secured via Amendment 7 was squarely before the court in Charles. There, a medical malpractice plaintiff served written discovery requests seeking all adverse medical incident reports in the defendant hospital’s history as well as other records of treatment and care during specific time periods. In response, the defendant hospital produced two occurrence reports related to the patient at issue, but objected to providing any additional adverse medical incident data based upon the privileges afforded by PSQIA.

After the trial court granted the motion to compel and the First District Court of Appeal reversed, the plaintiff appealed to the Supreme Court of Florida. Favoring access under Amendment 7, Florida’s high court held that the hospital’s adverse medical incident records did not qualify as patient safety work product under PSQIA and that the federal act did not preempt Amendment 7. Thus, the adverse medical incident data sought was discoverable.

The Florida Supreme Court specifically opined that the requested reports were not privileged because Florida law required the hospital to maintain the records. In so holding, the court effectively established a rule whereby Florida health care providers must create reports solely for the purpose of submission to a PSO in order for the reports to qualify as privileged patient safety work product. Further, even if this conflicts with the stated purposes of PSQIA, the United States Supreme Court’s October 2, 2017 denial of the hospital’s petition for a writ of certiorari concludes the inquiry.

Now, even if prepared via a PSE system and reported to a PSO, PSQIA will not protect from discovery the adverse medical incident reports created by Florida health care providers to comply with state reporting obligations. Health care providers should take steps to revise their PSE systems accordingly.

What You Need to Know

Because the U.S. Supreme Court will not revisit the decision in Charles, Florida health care providers should review and consider whether their PSE systems combine state-required reporting obligations with reports to PSOs. The combination of reporting functions is likely to limit the ability to shield such reports from discovery in civil litigation.

If you have any questions or would like assistance in evaluating your PSE systems, please contact a member of the BakerOber Health Law Group or Health Care Litigation Team.

About the Authors

Alisa L. Chestler, CIPP/US
Andrew J. Droke


Alert Series

Cyber-Threats: What You Need to Know to Protect Your Business Now

Baker Donelson’s Data Protection, Privacy and Cybersecurity attorneys are pleased to continue a series of client alerts that address significant cyber-threats to your business and discuss ways you can protect your business with thoughtful and timely planning before an emergency arises. Proper planning includes recognition of the threats, assessment of the risk, and then examination of the facts and tools at your disposal to mitigate the risks. The series will address your options, from adopting appropriate IT policies and procedures to acquiring contractual indemnity and insurance for specific loss risks. When there is a recommended technical solution available, we will consult with leading expert vendors and provide their input. We often hear that in today’s tech environment, it’s not a matter of whether you will be hacked or attacked, but when; therefore, we want to help you be well prepared for future challenges.

Our series will help you get ahead of the game. We offer guidance on shopping for cybersecurity insurance; protecting your business from DDoS attacks and ransomware; establishing a smart data management planevaluating vendor relationships; handling disgruntled employees and other internal threats; and testing for data security events.

Brad Moody
Sam Felker

Ready, Set, Go: Preparing and Testing for Data Security Events

By Zachary Busey, CIPP/US

Target, Ashley Madison, Sony, Home Depot – these events define the last few years of data security. With 2017 nearing an end, Verizon, the IRS, Equifax, and the SEC have joined this list. These events draw our attention because they are large-scale and highly publicized. Absent from this list are the thousands of events impacting day-to-day operations of companies across the country. In today’s tech environment, it’s not a matter of if your company will experience a data security event, but when and to what degree. Is your company ready?

Companies prepare for events all the time: power outages, product launches, hiring and firing of staff, inclement weather, theft, media announcements, etc. While companies do so in different ways, from large scale to small, the steps are the same: (1) identify potential security events; (2) develop a plan; (3) review and test the plan; (4) revise the plan; and (5) repeat as needed.

Identify Potential Security Events

When it comes to data security, identifying potential security events starts with knowing the data a company has and where it is stored. Say, for example, a company keeps hardcopies of personnel and employee medical files. Those files could be copied or physically taken. At the same time, when a company’s website is susceptible to a DDoS attack, their wireless devices can be overtaken and used during that DDoS attack. Electronic data can be copied by employees or stolen by hackers, as the system has become unsecure. Additionally, electronic data, when shipped or transmitted – whether internally or externally – can be intercepted. Finally, an employee could click on a malicious link or download a file which would allow outsiders access to the company’s system. The scope and severity of the event(s) will vary based on the size of the company and the nature of their business.

Develop a Plan

Your plan has two parts. The first part is prevention. The hard copies of personnel and employee medical files should be secured in locked file cabinets and in a file room to which access is monitored and logged. Website traffic is evaluated and additional server resources are available in the event of a DDoS attack. Wireless devices are protected by passwords, preventing their use in a DDoS attack. A company’s most sensitive electronic data is encrypted. Networks are secured with passwords; and access is monitored and logged. Third-party providers and outside holders of electronic data sign agreements affirming the implementation of controls and security, and employees are trained and regularly reminded to avoid malicious links and downloads.

The second part is reaction. When a hard copy file is stolen or electronic data is copied, a company has to know who to notify, internally, externally, or both. In the event of a DDoS attack, an individual or provider has to be told to allocate additional server resources. Statutes and regulations also drive reactions, often requiring companies to notify state agencies, consumers, or both in the event data is stolen. A reaction plan should include when legal counsel is consulted. Engaging counsel early in the process better positions a company to maintain confidentiality over certain communications about the event.

Review and Test the Plan

It seems obvious, but a plan should be reduced to writing and distributed to those involved. Your plan should also be reviewed by those involved, including legal counsel. Like any workplace policy, those involved should acknowledge in writing their receipt and review of the plan. This written acknowledgment provides the basis of discipline, up to and including termination, should an employee or third-party vendor fail to execute their responsibilities under the plan.

Testing the plan is vitally important. As with every part of this process, the extent and sophistication of any testing will vary from company to company. Testing can be simple, such as talking through reactionary measures on a call or in a meeting. A company, however, should not stop at simple. More sophisticated testing has become commonplace. Companies need to simulate events, and whether staging a file theft or a hacking incident, companies need to experience these events in real time. Penetration testing (or pen testing) can be utilized. Pen testing is typically done with the assistance of a third party and often without company employees knowing the test is occurring. The goal of a pen test is to determine vulnerabilities in a company’s systems and network. Common approaches mimic hacks and other cyber events, such as DDoS and brute force attacks. Other examples include staging the theft of a hard copy file, sending an email to test whether employees click malicious links, or calling employees to see if they provide access credentials.

The harder a company tests a plan – i.e., closely simulating real-world, real-time scenarios – the better a plan will be. Briefings for board members and the c-suite help companies ensure that these issues are taken seriously and given the necessary resources. The ultimate goal is to identify strengths and weaknesses of any plan, and then develop options for emphasizing strengths and addressing weaknesses.

Revise and Repeat

A plan’s first draft should not be the only draft. Through testing and review, plans should be revised and updated. In general, this process should be repeated regularly. It must be repeated each time technology is updated; a company decides to retain a new category of data; or a company begins storing data in a different way. If you have any questions or would like additional information regarding event planning and testing, please contact Zachary Busey, CIPP/US or any member of the Firm’s Data Protection, Privacy, and Cybersecurity Team.

About the Author

Zachary Busey, CIPP/US

HBMA Washington Report – October Issue

Washington Report – October, 2017
(Covers activity between 10/1/17 and 10/31/17)
Bill Finerfrock, Matt Reiter, Nathan Baugh,
Deanna Marcarelli, Carolyn Bounds

Washington Report – October Issue

  • CMS Finalizes Regulations for 2018 MIPS Reporting Year
  • 2018 ACA Open Enrollment Begins on November 1st
  • CMS Issues 2018 Medicare Physician Fee Schedule Final Rule
  • Senators Announce Short-term Bipartisan ACA Stabilization Bill
  • President Trump Issues Executive Order Promoting Alternatives to ACA Plans
  • CMS Creates SSNRI Ombudsman
  • MedPAC Proposing to Replace MIPS
  • CMS Updates FAQ Clarifying Virtual Credit Card Policy
  • Republicans Introduce Major Tax Reform Bill
  • Reminder to Review PQRS Feedback Reports and QRURs
  • Senate Confirms Number Two at HHS Who is Now Serving as Acting Secretary
  • House Passes Small Business Cybersecurity Bill
  • House of Representatives Votes to Repeal IPAB
  • Seema Verma Announces Meaningful Measures Initiative
  • CMS Transmittals