On January 17, 2013, the Office for Civil Rights (“OCR”), Department of Health and Human Services, issued the long-awaited final rule:  “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules.”  The final rule is effective March 26, 2013.  Covered Entities (“CEs”) and Business Associates (“BAs”) must comply with the applicable requirements by September 23, 2013.

The final rule seeks to address OCR’s findings in carrying out Executive Order 13563, which required OCR to conduct a retrospective review of existing regulations to identify ways to reduce costs and increase flexibilities under HIPAA.  The rule may or may not reduce costs, but the guidance provides more certainty for some businesses, and more flexibility for others, in interpreting privacy regulations that seemingly inhibited growth and development in the health care industry.

The rule clarifies that persons who undertake patient safety activities are BAs,[1] as are organizations such as Health Information Organization,[2] E-prescribing Gateways, or Regional Health Information Organizations that provide data transmission of PHI to a CE or its BA and that require access on a routine basis to such PHI.  As much as the rule offers certainty on these entities, however, it also offers room for argument, as OCR declined to define them with specificity.

Indeed, OCR declined to statically define any type of BA, emphasizing repeatedly the necessity of performing a factual analysis in uncertain situations, guided by principals designed to meet the overarching goals of HIPAA, HITECH and GINA.  OCR first settled a topic of some debate at health lawyers’ conferences by acknowledging that mere conduits are not BAs.

Read more about the Final HIPAA Rule after the jump

[1] This is to conform to the statutory provisions of the Patient Safety and Quality Improvement Act of 2005 (PSQIA), 42 U.S.C. 299b-21, et. seq.  PSQIA provides for the establishment of Patient Safety Organizations (“PSOS”) to receive reports of patient safety events or concerns from providers and provide analyses of events to providers.  Such reports may include PHI.  42 CFR 3.10 et seq.

[2] OCR declined requests for a more specific definition of “Health Information Organizations,” saying only that the term currently refers to organizations that govern health information exchange among organizations within a defined geographic area, but that as the industry evolves, the types of entities that fall within this definition may change.

I.            The “Conduit Exception” Is Recognized and In General, Conduits Are Not BAs

For years, many HIPAA pundits talked and acted as though the “conduit exception” was a figment of a lawyerly imagination – a hobgoblin of our own creation, to paraphrase a literary work usually saved for the holiday season we just left behind.  Imaginative lawyers are vindicated:  In the final rule, OCR emphasizes that “mere conduits” for the transport of PHI who do not access the information other than on a random or infrequent basis are not BAs.

However, the OCR cautioned that “[t]he conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services, such as the U.S. Postal Service or United Parcel Service and their electronic equivalents, such as internet service providers (ISPs) providing mere data transmission services.”  That is, a “conduit” does not access PHI “other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law.”  This includes reviewing whether data transmitted is arriving at its intended destination.  “In contrast, an entity that requires access to protected health information in order to perform a service for a covered entity such as record locator services is not a conduit,” and is therefore a BA.

Accordingly, OCR preserved a fact-based analysis with regard to whether entities have more than “random” access to PHI and thus are BAs.  On one end of the spectrum sits those entities that manage the exchange of PHI through a network or perform oversight and governance functions for electronic health information exchanges.  These, the final rule establishes, are BAs because they have more than “random” access.  However, where on the  spectrum other businesses or activities lie depends on all relevant facts and circumstances – a test that makes the risk averse nervous while everyone else celebrates the joys of flexibility.  OCR declined to define what it means to have “access on a routine basis,” saying such a determination “will be fact specific based on the nature of the services provided and the extent to which the entity needs access to protected health information to perform the service for the covered entity.”

OCR emphasized that whether an entity acts on its ability to access PHI is not determinative of whether the entity is a BA.  OCR clarified, for example, that a records storage facility that maintains PHI on behalf of a CE is a BA “even if the entity does not actually view” the PHI, while a transmission service (digital or hard copy) that temporarily stores transmitted data is not even if it “peeks.”  OCR explained that while transmission services have access equal to that of storage facilities, the difference between the two situations is the “transient versus persistent nature of that opportunity.”

If a test arises from all of this, it is one that asks not only whether the entity creates, receives, maintains, or transmits PHI, but also whether the entity has a persistent opportunity to access PHI, as opposed to a transient one.  If the answer is yes, the entity is BA without regard to whether it randomly, infrequently, or ever views the PHI.  This is a new test.

II.            Entities That Are Agents of CEs And of Other BAs Are Themselves BAs

The final rule also gives unprecedented credence to a fact-based agency theory for determining whether vendors are BAs.  For example, the OCR instructed that vendors are BAs when they contract with a CE to offer personal health records to one or more individuals on behalf of the CE.[1]  In contrast, OCR explained, if PHI is provided pursuant to an individual’s written authorization, then the vendor is not acting on behalf of the CE and is not a BA even if the vendor also has a contract with the CE governing the exchange or data.  That is, the final rule indicates that the extent to which a vendor will be considered a BA depends on whether the vendor is acting like an agent of a CE in connection with the PHI at issue.

OCR justified its application of the Federal common law of agency by citing § 160.402(c), which references the Federal common law of agency, and reiterating its belief that “adopting the Federal common law to determine the definitions and application of these terms achieves nationwide uniformity in the implementation of the HIPAA Rules.”[2]  Nationwide uniformity, OCR said, furthers “the efficiency and effectiveness of the health care system as a whole.”  Whether the 50 states would agree, or federal court judges for that matter, it is now therefore established:  Federal agency law applies.

The agency test must always bow to the overarching definition of a BA of course, i.e., if an entity receives, maintains, or transmits PHI or has a persistent opportunity to access PHI, the entity is a BA.  However, understanding the agency test is important to determining who is liable for whose failure to comply with HIPAA and the scope of responsibility.  If agency is not analyzed, an entity may incorrectly believe it is not a BA because it did not agree to perform services that fall within the strict statutory definition of a BA.  If agency is not considered, a person may perform services without having a BA agreement, which OCR may determine is unlawful because the person was acting as a CE’s agent.  If a CE blames a vendor for a HIPAA violation but has no BA agreement with the vendor, the CE may want to hold the vendor liable on an agency theory.

OCR provided guidance on the federal common law of agency it is discussion of how a CE may be liable for the acts of a BA under § 160.402(c).  Over all, OCR emphasized the importance of a fact-specific analysis, “taking into account the terms of a business associate agreement as well as the totality of the circumstances involved in the ongoing relationship between the parties.”   More specifically, “[t]he essential factor in determining whether an agency relationship exists between a covered entity and its business associate … is the right or authority of a covered entity to control the business associate’s conduct in the course of performing a service on behalf of the covered entity.”  According to OCR’s further tutorage, CEs, BAs, and vendors should analyze their relationships, determine their obligations, and draft their agreements based on the following principles:

(1)  If the time, place, and purpose of the vendor’s conduct show that the vendor is under the control of a CE or BA, the vendor may be an agent;

(2)  If the vendor engaged in a course of conduct that was subject to a covered entity’s control, the vendor may be an agent;

(3)  If a vendor’s conduct is commonly performed by BAs to accomplish the service performed on behalf of a CE, the vendor may be an agent;

(4) If the CE or BA reasonably expected that the vendor would engage in the conduct in question, the vendor may be an agent;

(5)  If the terms of the parties’ agreement states that the vendor “must make available protected health information in accordance with § 164.524 based on the instructions to be provided by or under the direction of the covered entity,” the vendor is an agent with regard to this activity;

(6)  If a CE contracts out or delegates a particular obligation under HIPAA to the vendor, the vendor is probably an agent;

(7)  If the type of service and skill level required to perform the service are such that the CE or BA would not have the expertise to provide interim instructions to the vendor regarding the service, the vendor is probably not an agent;[3]

(8)  If a CE is legally or otherwise prevented from performing the service or activity to be performed, the vendor is probably not an agent;[4]

(9)  If a contract between the parties sets terms and conditions that create contractual obligations such that the only avenue of control is for the CE to amend the terms of the agreement or sue for breach of contract, the vendor is probably not an agent;

(10)  An agency relationship may exist even if a CE does not retain the right or authority to control every aspect of its business associate’s activities;

(11)  An agency relationship may exist even if a covered entity does not exercise the right of control but evidence exists that it holds the authority to exercise that right;

(12)  An agency relationship may exist even if a covered entity and its business associate are separated by physical distance (e.g., if a covered entity and business associate are located in different countries);

(13)  The terms, statements, or labels given to parties (e.g., independent contractor) do not control whether an agency relationship exists – it is the the manner and method in which a covered entity actually controls the service that decides the analysis.

Accordingly, a mere contract phrase to the effect that a vendor is not an agent will not make it so, will not help the vendor avoid obligations as a BA under HIPAA and HITECH, and will not protect a CE from responsibility for the vendor-BA’s conduct.  As OCR stated, the analysis of whether a BA is an agent “will be fact specific and consider the totality of the circumstances involved in the ongoing relationship between the parties.”

OCR left little to the imagination of creative lawyers where an agency relationship exists.  The final rule is crystal clear that person or entity that creates, receives, maintains, or transmits PHI or performs a PHI-related service or delegated HIPAA obligation on behalf of another entity is a BA subject to the HIPAA Breach Notification Rule.  Perhaps for emphasis, OCR asserted that these BAs are subject to HIPAA rules, “and not that of the FTC.”

The FTC governs “PHR-related entities.”  Businesses are PHR-related entities if they interact with a vendor of personal health records either by offering products or services through the vendor’s website – even if the site is covered by HIPAA – or by accessing information in a personal health record or sending information to a personal health record.  “Many businesses that offer web-based apps for health information fall into this category.”  http://business.ftc.gov/documents/bus56-complying-ftcs-health-breach-notification-rule.  Examples include Apps that help consumers manage their medications or let them upload readings from a device like a blood pressure cuff or pedometer into a personal health record.  The final rule does not change such PHR-related entities into BAs in all circumstances, emphasizing that consumers still control their own information.   For example, the final rule does not change FTC guidance that if a site is simply available to consumers for inputting their own information in a way that does not interact with personal health records offered by a vendor, the site operator is not a PHR-related entity.  Accordingly, for example, if the site “just allows consumers to input their weight each week to track their fitness goals” the site operator is not a PHR-related entity, is not a BA, and is not subject to the breach notification rules.  However, OCR makes it clear that where consumers are not in control – where a CE or BA ultimately controls the handling of the PHI – then PHR-related entities become BAs, subject to HIPAA’s breach notification rule.

III.            “Subcontractor” Is A New Term of Art, and Subcontractors Are BAs

The final rule also establishes that a person to whom a BA “delegates a function, activity, or service” other than someone acting as a member of the BA’s workforce, is indeed called a “subcontractor,” a neologism that caused angst in many a grammarian and raised the ire of lexicologists far and wide.  More importantly, the final rule establishes that where the delegated function, activity, or service involves the creation, receipt, maintenance, or transmission of protected health information, the subcontractor is a BA.

Responding to commentators’ concern that this rule would require covered entities to contract with subcontractors, OCR underscored that BAs are the parties obligated to obtain satisfactory assurances that their subcontractors will safeguard PHI.  “The final rule makes clear that a covered entity is not required to enter into a contract or other arrangement with a business associate that is a subcontractor.”  See §§ 164.308(b)(1) and 164.502(e)(1)(i).”

As a practical matter, CEs are very concerned when their BAs delegate obligations to unknown parties over whom the CEs have no control.  Elaborate provisions are included in business associate agreements to ensure that BAs obtain covenants from subcontractors that PHI will be protected to the same extent required under the CE’s agreement with the BA.  Almost acknowledging the need to continue this practice, OCR further opined:  “[W]e believe that making subcontractors directly liable for violations of the applicable provisions of the HIPAA Rules will help to alleviate concern on the part of covered entities that protected health information is not adequately protected when provided to subcontractors.”  (Emphasis added.)

IV.            Conclusion

The final rule seeks to ensure, perhaps above all else, “that individuals’ health information remains protected by all parties that create, receive, maintain, or transmit the information in order for a covered entity to perform its health care functions.”   Everyone “down the chain,” as OCR put it, from CE to BA to Subcontractor1 to Subcontractors 2-5, and so on, and so on, and so on, must ensure that they comply with HIPAA and HITECH and that they obtain satisfactory assurances that the parties with whom they contract will comply with HIPAA and HITECH.  Reading between the lines of the final rule, it is as if OCR shrugged and said, “there’s strength in numbers” or “the more the merrier.”  Indeed, who can argue with such accepted wisdom.

[1] Section 13408 of HITECH requires that such organizations enter into “a written business associate contract or other arrangement with the covered entity in accordance with the HIPAA Rules.”

[2] Referencing the Enforcement Rule preamble, 71 FR 8390, 8403-04.

[3] For example, OCR instructed,  a BA “that is hired to perform de-identification of protected health information for a small provider would likely not be an agent because the small provider likely would not have the expertise to provide interim instructions regarding this activity to the business associate.”  In this situation, the BA would be directly subject to HIPAA and HITECH, but the CE would not be responsible for the BA’s conduct.

[4] As OCR explained:  “[A]n agency relationship would not likely exist when a covered entity is legally or otherwise prevented from performing the service or activity performed by its business associate [such as] accreditation functions performed by a business associate” that cannot be performed by a covered entity seeking accreditation because a covered entity cannot perform an accreditation survey or award accreditation.”

In my opinion, the Protocol is not user-friendly in several ways.  I’ve related this many times over the years to IGs and senior members of the IG’s office.  The bottom line is that providers are reluctant to go to the OIG because the Protocol and the subsequent Open Letters do not provide enough comfort or certainty about the potential outcomes.  I know the OIG has to keep its options open in egregious cases, but the fact is that the vast majority of providers are honest, have strong compliance programs and want to do the right thing.  They are not going to disclose an issue and at the same time ”pull a fast one” on the OIG.

The notice says that the OIG has resolved over 800 voluntary disclosures in 14 years — that’s about 57 a year.  The average recovery has been $350,000.  This is confirmation that providers have not been using the protocol much at all — especially compared to the number of circumstances that could be resolved through voluntary disclosure.

If the OIG developed a kinder, gentler and more predictable approach, it’s extremely likely that providers would line up to resolve instances of potential non-compliance.  There would be all sorts of reasonable resolutions and repayments.

It’s the rare provider that is both a good-faith voluntary discloser and a true fraudster.  Why not give providers an alternative that leans more toward recognition of this reality, along with a greater tendency toward amnesty from potentially draconian consequences?  This is the kind of provider-government partnership that Inspector General Dan Levinson has been promoting, and I believe he’s on the right track.  He is smart and thoughtful, and he understands the massive compliance challenges that providers face in the current environment.  He has initiated a great opportunity for both the OIG and well-intentioned providers to rectify potential non-compliance.  If the OIG built its revised protocol on a foundation of mutual trust, collaboration and greater certainty about outcomes, providers would use it more frequently and the government would reap the benefits.

What’s your perspective?

The Office of Management and Budget has created a new tool called Do Not Pay.   It is complemented by a Do Not Pay Business Center, a Do Not Pay List, a Do Not Pay Data Analytics Service and a Do Not Pay Portal.  The goal is to develop a place for government agencies to access a consolidated set of databases.  The tool provides for data searching and more extensive data analytics.  It includes databases like the List of Excluded Entities/Individuals (LEIE), SSA Death Master File (DMF), Central Contractor Registry (CCR), Excluded Parties List System (EPLS, public and private) and Debt Check.  Three types of customized searches are available, according to agencies’ needs:

• Online
• Batch
• Continuous monitoring

Each government agency is required to submit a draft plan for using these resources by June 30.  OMB will work with the agencies and provide comments by July 31.

Here’s an interesting point for the health care industry:  The government has already exceeded its goal to collect $2 billion in overpayments by the end of Fiscal Year 2012, which is September 30, 2012.  Why?  Because, according to the Obama Administration,  the RACs are recovering hundreds of millions of dollars.

What’s the take-away?  Prudent providers are reinforcing their government audit defense teams.  (Note I didn’t say “RAC audit.”)  Whether it’s RAC, MAC, ZPIC, the forthcoming Medicaid RACS or any of the other claims review entities, the focus on “improper payments” is here to stay, especially as the government’s health care outlays are spiraling.

You can watch the speech at this link:  IG Levinson’s Compliance Speech at HCCA Compliance Institute

Here’s the background:

• HHS-OIG analyzed 370 audits by Audit MICs between January and June 2010.
• The potential overpayments were projected at $80 million.

Here are the findings:

• Eighty-one percent of the audits either did not, or were unlikely to, identify overpayments.
• Forty-two percent identified no overpayments.

• There were no overpayment findings in 85 audits.
• CMS discontinued 72 audits after determining that finding overpayments was unlikely.
• Thirty-nine percent, or 144, were ongoing and unlikely to identify overpayments.  That raises a question:  Why would the government continue these audits?
• Eleven percent of the audits, or 42, found overpayments totaling $6.9 million.

• Only 7 of the 370 audits found overpayments greater than $100,000.
• Of those, only 3 were over $500,000.
• One audit, for example, had an overpayment finding of $6,012 where the potential overpayment had been identified as $2,948,137.

The government’s intervention in a whistleblower’s federal False Claims Act case in Alabama(United States ex. Rel Dawn Richardson et al v. Golden Gate Ancillary LLC et al., 09 cv 627, ND Ala.) – which was recently made public  – signals that the government has jumped into the deep end feet first in its self-proclaimed effort to combat fraud in the hospice context.  What remains to be seen is how successful these efforts will ultimately be. 

In this case, the government alleges that Golden Gate Ancillary LLC (doing business as Aseracare Hospice) misspent millions of Medicare dollars by admitting and billing for Medicare beneficiaries whom the company well-knew were not terminally ill and did not otherwise qualify for this expensive end-of life care, and consequently caused the submission of numerous false claims to the federal government for unnecessary health care services..  One of the complaint’s allegations is that although hospice care is limited to patients with a prognosis of six months or less to live, several of the defendant’s hospice patients in fact lived longer than six months and some were well enough to be released back to skilled nursing facilities.

On first glance, these allegations are not particularly different distinctive from those levied in other Flase Claims Act cases.  However, when you stop and consider the government’s assertions more carefully – with an eye to what they will ultimately be proving –  a key distinction emerges. 

End-of-life care is materially different.  Why?  One reason is that everyone deals with end-of-life on some level – either in terms of contemplating their own death (and thinking about how they want to be treated) or in terms of dealing with dying loved ones.  As the recent furor over alleged federal death panels in the context of the health care reform debates made clear, absolutely no one, regardless of their political views, thinks it is a good idea for the government to determine who can live and die in terms of the provision of health care services.

This emotional, almost visceral, reaction to the suggestion of government involvement in such a personal issue illustrates what the government is likely to encounter in these cases.  To prevail, the government will have to prove that some individuals got end-of-life care to which they were not entitled, or put another way, care that was just too expensive. 

The problem for the government, however, is that expensive end-of-life care is something that most people want for themselves and undoubtedly hope to provide for their loved ones.  No one really wants the government telling them that they cannot have it or that their relatives do not qualify.

Second guessing end-of-life decisions of doctors and well-meaning relatives is not something that a jury or judge will do lightly.  Nor are these decisions akin to the kinds of decisions involved in more routine False Claims Act cases – such as whether a doctor cut toe nails but billed for surgery.  Those kinds of cases are unemotional and, relatively speaking, can be fairly black and white.

Any hospice defendant worth its salt can produce grieving relatives of former (now deceased) hospice residents who will be prepared to testify about how wonderful the doctors and nurses were at XYZ company to their relative during the last days of their lives. 

Evidence that patients who were in care lived beyond the expected 6 months and even were released back to Skilled Nursing Facilities is also a double-edged sword.  While one conclusion from this sort of evidence could be that the patient did not qualify for hospice in the first place, another equally plausible explanation is that the patient received such good care in the hospice setting that they became stable or improved.  Thus, a logical defense (which does not even need to be explicitly mentioned) is that the government believes a false claim was filed because a hospice provided such good care that its nurses and doctors extended a dying patient’s life.  What relative wouldn’t be thrilled that their dying relative recovered or lived longer than expected? 

In the Golden Gate case, the government appears to try to blunt this emotional reaction by teeing up an emotional argument of its own:  Medicare is paid for by US taxpayers so you, members of the jury, are subsidizing unnecessary care.  Indeed, a reference to citizens (a/k/a jurors) paying for Medicare appears repeatedly in the government’s complaint in intervention. 

 There is nothing subtle about this strategy.  What remains to be seen is whether it works.  Second guessing end-of-life care — including its necessity — is hard business fraught with shades of grey.  That being said, neither party can be confident of the outcome:  as the old adage goes, there is nothing certain except death and taxes.  This case, of course, has both.

• Additional resources.
• Clearer regulations :)
• Increased stakeholder support for compliance activities.
• More predictable and quicker voluntary disclosure processes.
• A better way to keep track of regulatory developments and new business arrangements.
• Acknowledgement by regulators and enforcers that mistakes happen and not everything is fraud. 
• More compliance involvement in proposed transactions and arrangements – before they get done.
• The ability to learn about potential compliance concerns before they turn into more significant problems.

 What would you add to the list?

1. Regardless of what happens with the health care reform law, the current market forces toward collaboration, integration, efficiency and quality will continue.
2. At the same time, there will be much more Stark and Anti-kickback enforcement as the government steps up its scrutiny of hospital-physician relationships.
3. Medicaid enforcement will increase dramatically as the federal government pressures the states and the states endeavor to deal with funding pressures.
4. HIPAA enforcement will increase, and there will be more unfortunate and costly breaches as we implement more electronic records.
5. The DOJ/HHS HEAT initiative will ensnare some mainstream, institutional providers.
6. The HHS-OIG will more aggressively target hospitals through its current intensive hospital audits.
7. Many of the Implantable Cardioverter Defibrillator (ICD) investigations of hospitals across the country will be resolved.
8. The government and whistleblowers will increasingly target long term care, home health and community care.
9. While there will be large hospital settlements, device and pharmaceutical companies will write the biggest checks.
10. The HHS-OIG will seek to exclude more individuals who are associated with organizations that had compliance lapses.
11. The Health Care Compliance Association (HCCA) will continue to grow steadily and to serve its members’ needs assiduously.
12. There will be increased demand for strong compliance professionals as smart leaders continue to recognize their value.

What are your predictions?

One of the more challenging and rewarding aspects of being a health care attorney is taking a complex regulated environment and breaking it down in a way that is understandable, regardless of the audience.  In the compliance world, this means communicating the rules and how to follow them, the players and their influences and motivations. 

Over the weekend, while on a long car ride, my abilities to meet this challenge were put to the test by perhaps my toughest grader: my ten-year-old daughter. 

When she asked me what was keeping me so busy at work, I gave her my regular elevator speech:

I help people who provide health care to follow the rules and I defend them when somebody says they didn’t.

Being the precocious observer that she is (and because she has heard that a few times before), she found that answer to be completely unsatisfactory.  Pushing further, she asked: “Why is it so hard to follow the rules?”  After all, she doesn’t have any problem doing so, whether at home or school.  (Fortunately, this happens to be true.) 

I then explained what’s going on right now with Medicare and Medicaid enforcement.  Loving to sketch as she does, she took my words and put them into pictures.  When we arrived at our destination, she handed me this:

Enforcica

We recently took a family trip to Spain, where we saw some wonderful art, including that of Picasso.  In discussing his famous work Guernica, Picasso said:

. . . this bull is a bull and this horse is a horse… If you give a meaning to certain things in my paintings it may be very true, but it is not my idea to give this meaning. What ideas and conclusions you have got I obtained too, but instinctively, unconsciously. I make the painting for the painting. I paint the objects for what they are.

So, what do you see?  I’d be interested in your interpretive comments.  For now, I’m calling the piece Enforcica.

My colleage and blog co-editor, Rebecca Jones McKnight, wrote a clever and interesting Feature Focus in the December 2011 issue of the Health Care Compliance Association’s monthly publication, Compliance Today.  She wonders whether CMS is looking at Medicaid providers the way we looked at ants when we were kids.  (I’ll give you a hint:  it involved various uses of magnifying glasses . . .)  You can read it here.