Loading...

Follow Health Law Checkup on Feedspot

Continue with Google
Continue with Facebook
or

Valid

<p>The HHS Office for Civil Rights (&ldquo;OCR&rdquo;) recently issued a new <a href="https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html" target="_blank"><strong>fact sheet</strong></a>&nbsp;(&ldquo;Fact Sheet&rdquo;) addressing direct liability of business associates for violations of the HIPAA Privacy, Security and Breach Notification Rules (&ldquo;HIPAA Rules&rdquo;). The Fact Sheet serves as a reminder to business associates that in addition to their contractual liability to covered entities under the business associate agreements, business associates also have direct liability under HIPAA and are subject to OCR enforcement for violations of the HIPAA Rules. The Fact Sheet outlined the specific requirements of the HIPAA Rules with respect to which the OCR has authority to take enforcement action against business associates. These requirements include:</p> <ol> <li>Impermissible uses and disclosures of PHI;<br /> <br /> </li> <li>Failure to comply with the Security Rule;<br /> <br /> </li> <li>Failure to provide breach notification to a covered entity or, for subcontractor arrangements, to a business associate;<br /> <br /> </li> <li>Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request;<br /> <br /> </li> <li>Failure to enter into HIPAA compliant business associate agreements with subcontractor business associates;<br /> <br /> </li> <li>Failure to take reasonable steps to address a material breach of the subcontractor&rsquo;s business associate agreement;<br /> <br /> </li> <li>Failure to provide the Secretary of HHS with records and compliance reports, cooperate with complaint investigations and compliance reviews and permit access by the Secretary of HHS to PHI and other information pertinent to determining HIPAA compliance;<br /> <br /> </li> <li>Failure to disclose a copy of electronic PHI to the covered entity, the individual or the individual&rsquo;s designee (as specified in the business associate agreement) to satisfy a covered entity&rsquo;s obligations for providing access to PHI under the Privacy Rule;<br /> <br /> </li> <li>Failure to provide an accounting of disclosures; and<br /> <br /> </li> <li>Taking any retaliatory action against any person for filing a HIPAA complaint, participating in an enforcement process, or opposing a practice unlawful under HIPAA.</li> </ol> <p>Numerous vendors which provide services involving access to PHI to healthcare organizations that are HIPAA covered entities can be considered business associates under HIPAA. Simply entering into business associate agreements with covered entities is not sufficient for HIPAA compliance. Rather, it is essential that business associates implement a HIPAA compliance program to address compliance with the HIPAA Rules. The Fact Sheet can serve as a resource for business associates to review their HIPAA policies and procedures to ensure compliance with the applicable requirements of the HIPAA Rules.</p> <p>If you have any questions about HIPAA compliance or need any assistance with establishing a HIPAA compliance program, please contact the author of this article.</p> <p><em><a href="/people/milada-goturi"><strong>Milada</strong></a></em><em><a href="/people/milada-goturi"><strong>&nbsp;Goturi</strong></a> is a member of Thompson Coburn&rsquo;s health care practice.</em></p>
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

<p>Many hospitals share space with other providers. Previously, CMS&rsquo; guidance on the permissibility of such arrangements was informal and could vary by Regional Office. On May 3, 2019, CMS issued long-awaited draft guidance addressing such co-location arrangements (&ldquo;Draft Guidance&rdquo;). The Draft Guidance provides some clarification on how a hospital can share space, services, staff and emergency services and still demonstrate independent compliance with the Medicare Conditions of Participation for hospitals (&ldquo;COPs&rdquo;). The Draft Guidance reflects both recognition by CMS that co-location arrangements exist today and an effort by CMS to offer some flexibility on structuring such arrangements.&nbsp;</p> <h2>Distinct and shared spaces</h2> <p>CMS defines co-location as &ldquo;two hospitals or a hospital and another healthcare entity [which] are located on the same campus or in the same building and share space, staff, or services.&rdquo; The concerns with such arrangements primarily relate to the co-located hospital being able to demonstrate compliance with the COPs. While the Draft Guidance signals that CMS is willing to recognize certain co-location arrangements, it also makes clear that CMS does not permit sharing of clinical spaces. CMS reaffirms that a hospital must have &ldquo;defined and distinct spaces of operation for which it maintains control at all times,&rdquo; which includes clinical spaces for patient care. Examples of such clinical spaces include laboratories, pharmacies, imaging services, operating rooms, outpatient clinics, post-anesthesia care units, and emergency departments. The rationale here is largely grounded in patient safety and confidentiality concerns.&nbsp;</p> <p>Conversely, CMS is providing more flexibility when considering shared use of public spaces and public paths of travel by co-located hospitals or health care entities. Examples of such spaces include public lobbies, waiting rooms and reception areas (with separate check-in areas and clear signage), public restrooms, staff lounges, elevators, and main entrances to a building. The Draft Guidance identifies as an impermissible path of travel the travel through a clinical space (e.g., a hallway through a nursing unit) and as a permissible path of travel the through public space (e.g., as through the main hospital lobby).</p> <h2>Contracted services</h2> <p>In the Draft Guidance CMS indicates that certain hospital services may be provided through a contract with another co-located hospital or other entity. The Draft Guidance affirms previously articulated views that services such as food preparation, housekeeping, laboratory services, and utility services (e.g., fire detection and suppression, medical gases, suction, compressed air, and alarm systems) can be contracted services.&nbsp;</p> <p>The Draft Guidance indicates that medical staff members with clinical privileges at each co-located health care entity may &ldquo;float&rdquo; between them. However, other care providers may not &ldquo;float&rdquo; between the two facilities during a single shift. CMS opined that if such essential staff were to &ldquo;float&rdquo; between entities, neither co-located facility would meet the COP requirements.&nbsp;</p> <p>In addition, when a hospital uses contracted services, the hospital&rsquo;s governing body must be able to:</p> <p style="margin-left: 40px;">(1) verify that any contracted clinical services are not being simultaneously &ldquo;shared&rdquo; with another hospital or entity,&nbsp;</p> <p style="margin-left: 40px;">(2) demonstrate how the hospital monitors the performance of its contracted services, and&nbsp;</p> <p style="margin-left: 40px;">(3) demonstrate how the hospital ensures that all individuals providing services under contract have been oriented and trained consistent with hospital policies and procedures.</p> <h2>Emergency services</h2> <p>Under the COPs, hospitals without an emergency department are still required to have appropriate policies and procedures to address emergencies 24 hours a day and seven days per week. The Draft Guidance indicates that these hospitals are allowed to contract with another hospital or entity for appraisal and initial treatment of patients experiencing emergencies, but the contracted staff may not be working or be on duty simultaneously at another hospital or healthcare entity. The Draft Guidance indicates, however, that hospitals without emergency departments that are co-located with another hospital may not arrange to have that other hospital respond to its emergencies.&nbsp;</p> <p>The Draft Guidance states that it is acceptable to transfer patients to co-located entities for continuation of care. The Draft Guidance further states that hospitals without an emergency department that contract for emergency services with another hospital&rsquo;s emergency department are considered to provide emergency services and must comply with EMTALA. However, the full scope of this provision and its implications for hospitals is not clear and would require further clarification from CMS.</p> <p>CMS is seeking comments to the Draft Guidance by <strong>July 2, 2019</strong>, prior to issuing final guidance. If you would like assistance in submitting comments to CMS, please contact one of the authors of this post.</p> <p><a href="/people/christina-randolph"><strong><em>Christina Randolph</em></strong></a><em> and <a href="/people/milada-goturi"><strong>Milada Goturi</strong></a>&nbsp;are partners in Thompson Coburn's health care practice.</em></p>
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

<p>Clinical laboratories, recovery homes, and clinical treatment facilities should take note of a new law that expands kickback liability to non-governmental payors. Late last year, President Donald Trump signed into law the &ldquo;Eliminating Kickbacks in Recovery Act of 2018&rdquo; (EKRA) as part of the larger &ldquo;Substance Use-Disorder Prevention that Promotes Opioid Recovery and Treatment for Patients and Communities Act&rdquo; (SUPPORT Act).</p> <h2>Prohibition</h2> <p>Similar to the prohibitions under the federal anti-kickback statute (AKS), EKRA generally prohibits (1) the solicitation or receipt of any remuneration in return for referring a patient to a laboratory, clinical treatment facility, or recovery home, and (2) the payment or offer of any remuneration to induce a referral of an individual to a laboratory, clinical treatment facility, or recovery home or in exchange for an individual using the services of a laboratory, clinical treatment facility, or recovery home.</p> <p>Health care providers should note three key features of EKRA:</p> <ul> <li>First, EKRA applies to any &ldquo;health care benefit program&rdquo; which includes commercial payors and government programs. This is broader than the AKS which is limited to governmental payors.<br /> <br /> </li> <li>Second, EKRA covers clinical laboratory services provided at any laboratory subject to CLIA including services unrelated to opioid treatment and recovery.<br /> <br /> </li> <li>Third, EKRA is a criminal statute that contains a &ldquo;knowing and willful&rdquo; intent requirement.<br /> <br /> </li> </ul> <h2>Exceptions</h2> <p>EKRA contains eight exceptions to its basic prohibition including a discount exception, a compensation exception for employees and independent contractors, and an exception for payments made in connection with alternative payment models. While similar, the exceptions under EKRA do not always perfectly align with the AKS safe harbors. For example, EKRA&rsquo;s employee exception is narrower than the AKS employee safe harbor, but EKRA&rsquo;s personal services and management contracts exception incorporates the requirements of the AKS personal services and management contracts safe harbor.</p> <h2>Penalties</h2> <p>Penalties for violations include fines up to $200,000, a prison term up to 10 years, or both, for each occurrence.</p> <h2>Preemption</h2> <p>EKRA contains two preemption clauses. First, EKRA does not apply to conduct prohibited under the AKS. This preemption appears to prevent liability under EKRA for conduct that is subject to the AKS. Second, EKRA contains a preemption clause that states: &ldquo;[n]othing in [EKRA] shall be construed to occupy the field in which any provisions of [EKRA] operate to the exclusion of State laws on the same subject matter.&rdquo; This language is not clear but appears to mean that ERKA does not preempt state law.</p> <h2>Regulations</h2> <p>Upon the implementation of EKRA regulations, providers may have more clarity on the applicability of the prohibition, its exceptions, and the preemption provisions. Until that time, all laboratories, recovery homes, and clinical treatment facilities should review their business arrangements to ensure compliance with EKRA as it stands in addition to other applicable regulatory requirements.</p> <p>If you have any questions regarding EKRA or the SUPPORT Act, please feel free to contact the authors of this blog.</p> <p><em><a href="/people/christina-randolph"><strong>Christina Randolph</strong></a> and <a href="/people/nicole-jobe"><strong>Nicole Jobe</strong></a>&nbsp;are partners in the firm&rsquo;s health care practice.</em></p>
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
<p>After years of provider feedback, this month CMS provided another indication that potentially significant modifications to the Stark Law are looming.</p> <p>Speaking at the Federation of American Hospitals&rsquo; 2019 Public Policy Conference, CMS Administrator Seema Verma noted that the agency plans to issue updated regulations at some point in 2019. Verma noted that the updated regulations will seek to spur care coordination in an era of increasing use of value-based payment models. She noted that Congress passed the Stark Law at a time when fee-for-service payment arrangements were prevalent, and such a regulatory model may not be as appropriate today as providers accept more risk for cost and outcomes.</p> <p>Verma&rsquo;s comments follow CMS&rsquo;s 2018 request for information (RFI) concerning Stark Law updates and serve as another expression of CMS&rsquo;s willingness to modify the current regulatory environment. The potential regulatory modifications mentioned by Verma reflect many of the concerns and proposals raised by commenters to the 2018 RFI (discussed in a previous Health Law Checkup <a href="https://www.thompsoncoburn.com/insights/blogs/health-law-checkup/post/2018-08-02/cms-seeks-public-comment-on-potential-stark-law-modifications" target="_blank"><strong>post</strong></a>). Some of these shared concerns include:</p> <ul> <li>The need for updates to reflect the shift toward value-based payments with many commenters suggesting CMS create a new exception for value-based payment arrangements;</li> </ul> <ul> <li>Desired clarifications to key definitions in the Stark Law, including:<br /> <ul> <li>&ldquo;fair market value&rdquo;<br /> <br /> </li> <li>&ldquo;commercial reasonableness,&rdquo; and<br /> <br /> </li> <li>&ldquo;take into account the volume or value of referrals or other business generated&rdquo;;<br /> <br /> </li> </ul> </li> <li>A desire for an approach to address &ldquo;technical&rdquo; noncompliance with the Stark Law such as missing signatures or incorrect dates; and<br /> <br /> </li> <li>The need to modernize the regulations to account for cybersecurity and electronic health record requirements.</li> </ul> <p>Exact details on the extent and timing of potential modifications remain unknown. Thompson Coburn will continue to monitor developments related to the Stark Law.</p> <p><em><a href="/people/ken-farris"><strong>Ken Farris</strong></a> is a member of Thompson Coburn's health care practice.</em></p>
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

<p>On February 13, 2019, the Missouri Department of Health and Senior Services held a forum to hear suggestions regarding the drafting of preliminary medical cannabis regulations. Suggestions covered quality control and testing, fees and profits, startup logistics, distribution issues, and more.</p> <p>Read the full post, "<a href="https://www.thompsoncoburn.com/insights/blogs/tracking-cannabis/post/2019-02-25/highlights-from-the-missouri-department-of-health-s-first-medical-cannabis-forum" target="_blank"><strong>Highlights from the Missouri Department of Health&rsquo;s first medical cannabis forum</strong></a>," on our <a href="https://www.thompsoncoburn.com/insights/blogs/tracking-cannabis" target="_blank"><strong>Tracking Cannabis</strong></a>&nbsp;blog.</p>
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
<p>Did your organization discover a HIPAA breach in 2018 that affected fewer than 500 people? If so, you have until March 1 to report the breach to the Office for Civil Rights (&ldquo;OCR&rdquo;).</p> <p>The HIPAA Breach Notification Rule requires covered entities to notify OCR of breaches of unsecured protected health information affecting fewer than 500 individuals within 60 days of the end of the calendar year in which the breach was discovered. This year, the deadline for such breaches discovered in 2018 is March 1, 2019.</p> <p>Breaches can be <a href="https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true" target="_blank"><strong>reported online here</strong></a>. It&rsquo;s not possible to save reports before submitting them, so be prepared to fill out the full report and submit at the same time. You can see a sample of the report and the questions you&rsquo;ll be asked <a href="https://ocrportal.hhs.gov/ocr/breach/doc/Breach%20Portal%20Questions%20508.pdf" target="_blank"><strong>here</strong></a>. Note that if your organization discovered more than one breach in 2018 that affected less than 500 individuals, you must complete a separate report for each breach incident.</p> <p><em><a href="/people/jennifer-pike"><strong>Jennifer Pike</strong></a> is a member of Thompson Coburn&rsquo;s Health Care practice group.</em></p>
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

<p>The end of 2018 saw major developments in some of health care&rsquo;s key areas, from cybersecurity to medical cannabis. As another year begins, here are some of the significant developments over the past year that are likely to impact health care providers in 2019.</p> <h2>Missouri medical cannabis legislation</h2> <p>On November 6, 2018, Missouri voters passed a ballot measure legalizing the manufacture, sale, and use of medical cannabis products. The measure amended the Missouri Constitution to allow state-licensed physicians to recommend medical cannabis to patients who have a &ldquo;qualifying medical condition&rdquo; which includes cancer, glaucoma, HIV/AIDS, any terminal illness, and &ldquo;any other chronic, debilitating or other medical condition&rdquo; as determined by a physician. The Missouri Department of Health and Senior Services will oversee granting licenses to operate cannabis product manufacturers, cultivators, and retail businesses and has yet to release implementing regulations. Missouri joins <a href="https://www.thompsoncoburn.com/insights/blogs/tracking-cannabis/post/2018-10-04/a-state-by-state-ranking-of-cannabis-regulations" target="_blank"><strong>more than 30 states</strong></a>&nbsp;that have passed medical cannabis laws.</p> <h2>Revisions to Medicare supervision requirements</h2> <p>In its <a href="https://www.govinfo.gov/content/pkg/FR-2018-11-23/pdf/2018-24170.pdf" target="_blank"><strong>2019 Medicare Physician Fee Schedule (MPFS) Final Rule</strong></a>&nbsp;and subsequent guidance, CMS has loosened the supervision requirement for diagnostic tests performed by a certified Registered Radiologist Assistant or Radiology Practitioner Assistant from personal physician supervision to direct physician supervision to the extent permitted by state scope of practice law for such practitioners. This rule applies to all Medicare beneficiaries who are not hospital inpatients and is effective January 1, 2019. Providers will need to check their state scope of practice laws to determine if the reduced supervision requirements apply.</p> <h2>Clinic visits and the 2019 OPPS Rule</h2> <p>In the <a href="https://www.govinfo.gov/content/pkg/FR-2018-11-21/pdf/2018-24243.pdf" target="_blank"><strong>2019 Hospital Outpatient Prospective Payment System (OPPS) final rule</strong></a>, CMS eliminated the exception allowing certain off-campus PBDs to bill for clinic visits under the OPPS. In this change, CMS will pay <span style="text-decoration: underline;">all</span> clinic visits provided at PBDs at the lower MPFS rate. CMS will implement this change over a two-year period, with payments in 2019 at approximately 70% of the OPPS rate and payments in 2020 at approximately 40% of the OPPS rate.</p> <h2>Anthem data breach debacle settles for millions</h2> <p>In October 2018, Anthem <a href="https://www.hhs.gov/about/news/2018/10/15/anthem-pays-ocr-16-million-record-hipaa-settlement-following-largest-health-data-breach-history.html" target="_blank"><strong>agreed to pay $16 million</strong></a>&nbsp;to the U.S. Office of Civil Rights (OCR) to settle alleged HIPAA violations stemming from a 2015 data breach affecting nearly 79 million individuals. Hackers first accessed the protected health information (PHI) through spear phishing emails sent to an Anthem subsidiary. A single employee responded to the attacks which caused further targeted attacks using access inadvertently granted by that employee. OCR also determined Anthem failed to mitigate the damage by not conducting an enterprise-wide risk analysis, failed to identify and respond to security incidents, and did not maintain sufficient procedures to monitor information system activity and access to PHI. <a href="https://www.hhs.gov/sites/default/files/anthem-ra-cap.pdf" target="_blank"><strong>The agreement</strong></a>&nbsp;marks the largest settlement reached with OCR over potential HIPAA violations and subjects Anthem to a HIPAA corrective action plan. This is the largest HIPAA settlement in OCR&rsquo;s history.</p> <h2>Illinois Supreme Court protects nonprofit hospital tax exemption</h2> <p>In a September 20, 2018 ruling, the Illinois Supreme Court in <a href="https://scholar.google.com/scholar_case?case=17613428492587997664" target="_blank"><em><strong>Oswald v. Hamer</strong></em></a>&nbsp;upheld a tax exemption for nonprofit hospitals when the value of charity care provided annually by a hospital equals or exceeds that hospital&rsquo;s estimated property tax liability. The Plaintiff argued that the exemption, codified at Section 15-86 of the Illinois Property Tax Code, was unconstitutional because the law does not require hospitals to be used exclusively for charitable purposes. The Illinois Supreme Court disagreed and upheld the exemption, helping Illinois nonprofit hospitals avoid a potentially sizable increase in their tax liabilities. Cases like this have appeared in other states and is a trend to follow in the coming year.</p> <h2>Kalispell fraud and abuse case ends in multi-million settlement</h2> <p>In September of 2018, Montana-based Kalispell Regional Healthcare System and six subsidiaries (KRH) agreed to <a href="https://www.justice.gov/opa/pr/kalispell-regional-healthcare-system-pay-24-million-settle-false-claims-act-allegations" target="_blank"><strong>a $24 million settlement</strong></a>&nbsp;to resolve allegations they violated the False Claims Act (FCA). The FCA action stemmed from allegations claiming KRH entered into arrangements with physicians that violated the Stark Law and Anti-Kickback Statute in which KRH compensated physicians in excess of fair market value and tracked the volume and value of referrals in &ldquo;contribution margin&rdquo; reports to determine base compensation and bonus levels for employed physicians. Additionally, the relator alleged that KRH sought to induce physician referrals by providing administrative services at below fair market value to an entity with physician investors.</p> <p>The case reflects the government&rsquo;s continued emphasis on noncompliant arrangements between hospitals and physicians, particularly when using &ldquo;contribution margin&rdquo; reports to determine physician compensation and provides another example of the risks associated with such noncompliance.</p> <p>If you have any questions about any of the topics discussed in this post, please feel free to contact the authors.</p> <p><em><a href="/people/nicole-jobe"><strong>Nicole Jobe</strong></a> and <a href="/people/ken-farris"><strong>Ken Farris</strong></a>&nbsp;are associates in Thompson Coburn's health care practice.</em></p>
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
<p>On December 28, 2018, the U.S. Department of Health and Human Services (&ldquo;HHS&rdquo;) published the &ldquo;<a href="https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx" target="_blank"><strong>Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients</strong></a>&rdquo; (&ldquo;Guidelines&rdquo;). The Guidelines were developed in response to a mandate of the Cybersecurity Act of 2015 to develop cybersecurity guidelines to reduce cybersecurity risks for healthcare organizations.</p> <p>The Guidelines consist of the following four separate documents:</p> <ul> <li>The Main Document, which provides an in-depth look at the five most relevant and current cybersecurity threats to the healthcare industry. These threats include e-mail phishing attacks, ransomware attacks, loss or theft of equipment or data, insider, accidental or intentional data loss and attacks against connected medical devices that may affect patient safety. The Guidelines enumerate various strategies to mitigate these threats, including e-mail protection systems, access management, network management and various other strategies.<br /> <br /> </li> <li>Technical Volume 1, which addresses cybersecurity practices for small healthcare organizations<br /> <br /> </li> <li>Technical Volume 2, which addresses cybersecurity practices for medium and large health care organizations.<br /> <br /> </li> <li>Resources and Templates Volume, which provides resources and templates to support an organization&rsquo;s assessment of its current cybersecurity program and to present several template policies and procedures.</li> </ul> <p>The Guidelines provide healthcare organizations of all types and sizes with information on cybersecurity practices. Cyber threats to patient information continuously evolve and regulatory enforcement continues to focus on data security matters. In the recent years numerous HHS enforcement actions involved non-compliance with the HIPAA Security Rule. Thus, it is important for healthcare organizations to be vigilant in their efforts to protect patient information and to ensure compliance with the HIPAA Security Rule. Healthcare organizations can use the Guidelines as a helpful resource in their cybersecurity compliance efforts.</p> <p><em><a href="/people/milada-goturi"><strong>Milada Goturi</strong></a>&nbsp;and <a href="/people/jennifer-pike"><strong>Jennifer Pike</strong></a>&nbsp;are members of Thompson Coburn&rsquo;s Health Care practice group.</em></p>
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

<p>On December 14, 2018, the Office for Civil Rights (OCR) published a <a href="https://www.govinfo.gov/content/pkg/FR-2018-12-14/pdf/2018-27162.pdf" target="_blank"><strong>Request for Information</strong></a>&nbsp;(RFI) that seeks public input on how the agency might modify the HIPAA Privacy, Security and Breach Notification Rules to improve care coordination and reduce regulatory burdens.</p> <p>OCR is accepting comments on all aspects of the HIPAA Rules but requests information on five specific areas:</p> <p style="margin-left: 40px;">(1) Information sharing for care coordination and case management;<br /> <br /> (2) Parental/caregiver involvement in care in connection with the opioid crisis;<br /> <br /> (3) Parental/caregiver involvement in care in connection with severe mental illness;<br /> <br /> (4) Accountings of disclosures; and<br /> <br /> (5) Notice of Privacy Practices.</p> <p>Overall, the agency put forth over 50 specific questions to the public for input on these topics.</p> <p>OCR&rsquo;s commentary and questions in the RFI reveal some notable insights. For example, OCR&rsquo;s questions related to information sharing for care coordination suggest that it is considering modifications to the Privacy Rule that would require covered entities to make protected health information (PHI) available to other covered entities within a specified time frame. Currently, the Privacy Rule requires only that covered entities make PHI available to individuals in a set amount of time. OCR also seems to be considering providing additional exceptions to the minimum necessary requirements and additional disclosure permissions under the Privacy Rule, such as to community-based support programs that are not otherwise considered health care providers under the Privacy Rule.</p> <p>In its commentary on sharing information in connection with the opioid crisis and serious mental illness, OCR indicates it may issue new rulemaking to encourage the sharing of PHI with parents and caregivers for the promotion of the health and safety of individuals struggling with substance abuse (in particular, opioid use) and serious mental illness.</p> <p>Very notably, with respect to accountings of disclosures, OCR announces its intention to withdraw the 2011 notice of proposed rulemaking that had called for covered entities to make &ldquo;access reports&rdquo; available to individuals upon request. Such access reports would have required covered entities to provide individuals with a full listing of who had accessed the individual&rsquo;s PHI in an electronic record. OCR acknowledges that such an access report would be overly burdensome to covered entities and does not provide meaningful information to individuals.&nbsp;However, OCR does note its obligation under the HITECH Act to modify the Privacy Rule to require that accountings of disclosures include disclosures for treatment, payment and health care operations made through an electronic record. The agency therefore asks for input on how it could accomplish this directive.</p> <p>Finally, OCR&rsquo;s commentary and questions related to the Notice of Privacy Practices reveal the agency may be considering removing the requirement for covered entities to make a good faith effort to obtain written acknowledgement of an individual&rsquo;s receipt of a health care provider&rsquo;s Notice.</p> <p>Comments to the RFI must be submitted on or before <strong>February 12, 2019</strong>. Comments can be submitted by mail or online at <a href="http://www.regulations.gov/" target="_blank"><strong>www.regulations.gov</strong></a>&nbsp;by searching for Docket ID number HHS-OCR-0945-AA00.</p> <p><em><a href="/people/jennifer-pike"><strong>Jennifer Pike</strong></a> is a member of Thompson Coburn&rsquo;s Health Care Practice Group.</em></p>
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
<p>Effective January 1, 2019, Missouri insurers must <a href="/docs/default-source/blog-documents/2018-mo-senate-bill-593-(linked-version).pdf?sfvrsn=64f41ea_0" title="comply with new legislation"><strong>comply with new legislation</strong></a>&nbsp;regarding internal audit requirements and the submission of new annual disclosure reports. These new requirements stem from model laws issued by the National Association of Insurance Commissioners (NAIC). Below is a brief overview of these new requirements.</p> <h2>Internal audit standards</h2> <p style="margin-left: 40px;"><strong>Requirement.</strong> RSMo. &sect; 375.1058 requires insurers to establish an internal audit function that provides independent, objective and reasonable assurance to organizational leadership that the insurer is functioning efficiently, complying with internal policies, and effectively managing risk. The internal audit function must have the authority to perform audits and reviews and must be &ldquo;organizationally independent&rdquo; to remain objective when exercising its oversight function.</p> <p style="margin-left: 40px;"><strong>Scope:</strong> The law generally applies to Missouri insurers (including health insurance companies and HMOs) unless the insurer: (1) individually has annual direct written and unaffiliated assumed premium of less than $500 million; and (2) is a member of a group of insurers that has annual direct written and unaffiliated assumed premium of less than $1 billion.&nbsp;</p> <h2>Corporate compliance reports</h2> <p style="margin-left: 40px;"><strong>Requirement. </strong>RSMo. &sect; 382.600-382.640 requires Missouri insurers to submit a Corporate Governance Annual Disclosure (CGAD) before June 1 of each calendar year. A CGAD is a report that provides the director of the Missouri Department of Insurance, Financial Institutions and Professional Registration a summary of the insurer or insurance group&rsquo;s corporate governance structure, policies, and practices. The report permits the director to examine the insurer&rsquo;s corporate governance policies and how the insurer implements such policies. The Department must maintain the confidentiality of the CGAD and may not disclose the CGAD to the public.</p> <p style="margin-left: 40px;"><strong>Scope. </strong>The law generally applies to Missouri insurers (including health insurance companies and HMOs). If the insurer is part of an insurance group, the insurer must submit a CGAD to its lead state unless the lead state has not yet adopted both the NAIC CGAD Model Act and Model Regulations.</p> <p>In addition to the two new laws above, Missouri lawmakers passed legislation increasing the fees for many filings required by the Department.</p> <p>Missouri insurance companies impacted by these new laws should review these requirements carefully to ensure compliance. If you have any questions, please feel free to contact the authors of this blog.<br /> <br /> <em><a href="/people/ken-farris"><strong>Ken Farris</strong></a> is an attorney in Thompson Coburn&rsquo;s Health Care practice.&nbsp;</em></p>
Read Full Article

Read for later

Articles marked as Favorite are saved for later viewing.
close
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview