Equal Service = Equal Payments
HHS proposed a rule that would eliminate the premium paid by Medicare for services performed in “hospital” settings. This prior rule resulted in a disparity in Medicare payments where hospital-affiliated clinics get paid more than physician offices for the same service. Some cite this as the reason there has been a race for hospital-physician consolidation and hospital purchase of physician practices.
The United States Court of Appeals for the District of Columbia confirmed that HHS has the authority under HHS’s power to control unnecessary increases in the volume of covered outpatient services. A number of technical arguments were made but unlike the lower Court, the Court of Appeals ruled for HHS.
Assuming the Court of Appeals ruling stands, it is likely that HHS will promptly impose the rule for 2021 and eliminate the hospital based clinical services premium which has existed for a number of years. It remains to be seen whether hospitals will either stop acquiring physician practices due to the lack of the hospital site premium or will begin to expel physicians in an attempt to drive costs out of the hospital cost base.
Telehealth Here to Stay?
There are a number of indications from both HHS and private insurers that telehealth is one practice delivery method which is likely to stay with us and even expand over the next several years. Congressional leaders, private insurer executives and others have cited the COVID-19 pandemic as one reason for making sure that telehealth is available during crises in a post COVID-19 environment.
Such bills would specifically make permanent the temporary waiver authority for HHS Secretary for any future emergency periods and seek to remove arbitrary geographic limitations on Medicare telehealth. The current legislation proposed as a bipartisan bill is called the “Keep Telehealth Options Act.”
HIPAA has been a statute affecting privacy and healthcare for years. Now various state laws regarding not only access to “private” information, but even more fundamental privacy statutes have begun to appear and create litigation. Illinois has a biometric privacy statute. This statute and similar statutes seem to limit or prohibit certain uses of biometric data including facial recognition data. Facial recognition systems have become pervasive at airports, shopping centers, apartment buildings and other places. The battle is on to determine when such systems can be used and when they cannot and what to do with the data created by such systems and sensors.
Many hospitals, doctor’s offices, clinics and similar facilities use cameras to surveil and collect data regarding their surroundings and the people. What do you do with that data? Is it erased daily, is it kept, for how long, who has access to that data, your surveillance company/camera supplier?
All of these questions need to be answered not only to comply with state laws, but also so you fully understand what data you collect and what happens to that data. Learning how your system works as a defendant in a lawsuit is not a winning plan.
391,000 to 0
Ransomware claims are fairly simple-a bad acting party (hacker) eliminates access for a company (in this case a regional dental center) and then demands money to re-establish the link between the dental center’s data and the dental center. This particular case was the fifteenth largest health data breach reported in 2019. Following the announced breach/ransomware demand, a lawsuit was filed by those persons whose data was located in the Cuero Regional Dental Center. The Plaintiffs sought a class action designation because of the “increased risk of identity theft as well as the costs of monitoring their credit.”
Due to the nature of ransomware attacks, it is seldom possible to create a direct line between the ransomware lock down of data, the subsequent demand for a ransom payment and the actual theft and dissemination of PHI and credit data of the customers of the dental center. As the Judge wrote, “The fact that the breach occurred cannot, in and of itself, be enough, in the absence of any imminent or likely misuse of protected data, to provide Plaintiffs with standing to sue. The Plaintiffs failed to allege that they or members of the putative class have suffered actual identity theft. Instead their pleading speaks of ‘possibility’ and traffics in ‘maybes.’”
The underlying assumption by the Court must be that ransomware attackers do not ultimately sell or disseminate the patient PHI or credit and other personal data, whether the ransomware attackers are paid or not paid. It is not clear how the Court came to that determination.
CMS – Physicians and Other Clinicians: CMS Flexibilities to Fight COVID-19
CMS and some insurers are signaling welcome flexibility for practices during this unusual time. Billing for telehealth services, pre-approval waivers and other changes are needed and welcome.
This newsletter is edited by Paul Wallace of Jones • Wallace, LLC, a member of the American Health Lawyers Association who has been representing physicians and healthcare practices for over 25 years. Mr. Wallace assists physicians, practices and hospitals in contract items, federal legal compliance, practice entity creation, estate and wealth planning and similar issues. Please feel free to call if you have any questions on this newsletter or legal matters at (812) 402-1600 or firstname.lastname@example.org.