Healthcare Law News - Volume 120
Medicaid Payment Appeals
We have previously written about the federal statute that requires CMS Administrative Law Judges to hear and render a decision within 90 days after a timely request. We have also written that CMS instead takes years to rule on appeals and courts have refused to take action against CMS.
The ignoring of the 90 day requirement has created substantial problems. Medicare appeals may take from 3-5 years to reach a decision.
Family Rehab received a demand for $7.6 million dollars in Medicare overpayments. Family Rehab promptly began the Medicare four stage administrative appeal process. After the first two levels of appeal, which basically are first asking a MAC auditor for a redetermination of the overpayment and then seeking reconsideration from a QIC contractor, Medicare began “recoupment.” Family Rehab countered that if the appeal took 3-5 years then it would quickly go out of business through the recoupment or withholding of payments by CMS. In the past, this has been the end of the story as the provider simply goes out of business. Past efforts to ask the court to enjoin or prohibit CMS from recouping claimed overpayments unless CMS followed the federal statute that required a hearing and decision in 90 days, have resulted in courts generally saying they did not have jurisdiction over the matter.
There is some hope. The Fifth Circuit US Court of Appeals (think Mississippi, Louisiana and Texas) found a way/recognized an exception and ordered CMS to stop the recoupment until CMS ruled on Family Rehab’s third level appeal which is a de novo review. In this appeal, a provider can have a live hearing, present testimony, cross examine witnesses and argue about law and fact. This is the level where 90 days is the statutory limit between a timely request and a decision.
CMS’s lawyers conceded that an appeal would not occur and a decision would not be rendered for at least 900 days (note this is ten times the statutory limit). Family Rehab argued, without any contrary evidence by CMS, that it would be insolvent well before 900 days. The Court found since Family Rehab was not asking the Court to rule on the underlying dispute regarding overpayments, but simply asking for relief that would not be available from the administrative process of CMS, that the Court could and had the power to issue an injunction stopping CMS from recoupment.
We believe this is a very important opening since prior to this March 2018 decision, there simply was no available remedy to recoupment, even if the recoupment demand was based upon a faulty MAC or RAC audit.
It’s Still Your Fault
A networked medical practice in New Jersey will pay over $400,000.00 to resolve an investigation by the New Jersey Attorney General. In this case, patient records were leaked by a transcription vendor to Virtua Medical Group. Approximately 1,600 patients’ medical records were exposed online.
Even though the leak was traced to a server overseen by a third party business associate to Virtua, New Jersey says that is not enough to escape liability. New Jersey apparently requires that providers vet vendors for the quality of their security arrangements. There is no explanation about how a provider would do that or do that sufficiently for New Jersey.
Although this seems unfair to the providers, this appears to be the future of both OCR and state level scrutiny. We recommend you have a checklist and survey of each of your vendors on the vendor’s security practices to show you made a reasonable effort to vet the security quality of your business associates. Also, if there is even a hint of a breach by your vendor, you will want to show you took all immediate and necessary steps to terminate the breach, notify the appropriate authorities and to notify patients.
SAMSAM Ransomware
Health and Human Services issued an alert regarding SAMSAM Malware. Apparently 2 Indiana hospitals, a cloud based EHR provider, Colorado’s Department of Transportation and others have been attacked by SAMSAM that denies access when an infected organization seeks to access its data files.
According to reports, the cloud EHR provider was Allscripts and one of the Indiana hospitals was Hancock Health who apparently paid $55,000.00 in bitcoin to unlock its data systems after a SAMSAM attack earlier this year.
This attack emphasizes the need to have constant surveillance of your data files, timely patches and updates installed and a well thought out plan for responding to such an attack whether successful or unsuccessful. HHS recommends:
- Use VPNs to restrict access behind firewalls;
- Use strong/unique usernames and passwords and consider using two factor authentication;
- Strictly limit users who can log in using a remote computer; and
- Implement an account lockout policy to help stop or limit the effect of brute force attacks.
This newsletter is edited by Paul Wallace of Jones • Wallace, LLC, a member of the American Bar Association Healthcare Law Section and the American Health Lawyers Association who has been representing physicians and healthcare practices for over 25 years. Mr. Wallace assists physicians, practices and hospitals in contract items, federal legal compliance, practice entity creation, estate and wealth planning and similar issues. Please feel free to call if you have any questions on this newsletter or legal matters at (812) 402-1600 or pwallace@joneswallace.com.