‹ Back to Listing

Attorneys

Health Care Regulatory and Legislative Update

Print Page
Share
March 22, 2017

American Health Care Act Moves Through House Committees; Floor Vote Scheduled for Thursday

Last week, after a less than favorable Congressional Budget Office (“CBO”) score (see our analysis here), the House Budget Committee moved the American Health Care Act (“AHCA”) on to the House Rules Committee by a narrow vote (19-17). On Monday, Republican leaders unveiled a “manager’s amendment” to the AHCA, which makes several changes, including:

The House Rules Committee continues to mark-up the bill today, with hopes of bringing the AHCA to the House floor for a full vote tomorrow. It remains unclear whether a CBO score of the revised legislation will be available before the House vote. Assuming no Democrats support the bill, the GOP can only lose 22 GOP House votes in its 237-member caucus. Many conservatives, notably those within the House Freedom Caucus, have stated opposition to the bill. By The Washington Post’s count, 24 GOP House members said they’ll outright oppose it or are very strongly leaning against it. Should the bill make it to the Senate, the GOP can only lose 2 votes. We will continue to monitor and provide updates as the bill progresses.

Large FCA Judgment Against Nursing Home Operators Could Trigger Cross-Default Provisions of Loan Providing Operating Capital to 183 Non-Defendant Co-Obligors

On March 1, 2017, in the case of United States and Florida ex rel. Ruckh v. CMC II, LLC, et al., 8:11-cv-1303 (M.D. Fl.), the U.S. District Court ordered defendant nursing facility operators — Sea Crest Health Care Management, LLC and CMC II, LL — to pay a $347 million judgment for 446 violations of the False Claims Act (“FCA”). The jury in the case returned a $115 million verdict, which the Court then trebled and added on more than $2.4 million in penalties. The judgment is the result of a FCA qui tam lawsuit in which a registered nurse briefly employed by two of the defendant’s nursing facilities alleged that the defendants knowingly inflated Medicare, Medicaid and TRICARE reimbursement by overstating the amount of therapy administered to patients. The whistleblower also alleged that the fraudulent scheme was encouraged by senior management officials who established target reimbursement rates for each skilled nursing facility and offered employee bonuses for exceeding those rates.

While the large judgment demonstrates the potentially crippling effect of an FCA jury trial, the verdict’s potential effect on the defendants’ lenders and co-obligors is particularly noteworthy. On March 13, 2017, the defendants filed an emergency motion to stay execution of the judgments pending the Court’s consideration of post-trial motions. The emergency stay motion explains that “Defendants’ current total inability to pay the Judgment will trigger the cross default provisions of a large loan facility needed to continue Defendants’ daily operations. Additionally, Defendants are co-obligors on these loans with other non-Defendant skilled nursing facilities, and any default by Defendants will trigger a coextensive financial collapse of approximately 183 non-Defendant affiliated skilled nursing facilities.” On March 15, 2017, the Court granted the stay of execution, acknowledging the potential impact on nursing facility patients: “The specter of a “cascading default” that might force the closing of 183 skilled nursing facilities and might displace more than 17,000 vulnerable patients warrants a stay of execution on the judgments during the pendency of the defendants' renewed motion for judgment as a matter of law.” During the stay, the defendants are forbidden from conducting transactions outside the ordinary course of business, must respond promptly to reasonable requests by the whistleblower and the government for the defendants’ financial information, and must allow the whistleblower and the government to access the defendants’ financial records. The defendants’ post-trial motions are due on March 29. 

HIPAA Settlement Underscores Importance of Audit Controls and Timely Mitigation of Issues Identified in Security Risk Assessments

Last month, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that Memorial Healthcare System (“MHS”), which operates health care facilities in the South Florida area, had agreed to pay $5.5 million to settle potential violations of the Health Insurance Portability and Accountability Act (“HIPAA”). The Resolution Agreement between the health system and OCR also contains a detailed corrective action plan. According to the press release, MHS self-reported that the electronic protected health information (“ePHI”) of 115,143 individuals had been impermissibly accessed by employees and disclosed to affiliated physician office staff. Specifically, the login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI maintained by MHS on a daily basis without detection from April 2011 to April 2012. Although the health system had certain HIPAA policies and procedures in place, it failed to (1) implement procedures with respect to reviewing, modifying and/or terminating users’ right of access and (2) regularly review records of information system activity on applications that maintain ePHI by workforce users and users at affiliated physician practices, despite having identified this risk on several HIPAA security risk assessments conducted by MHS from 2007 to 2012.

While hacking and other outside cybersecurity threats claim the media spotlight, this settlement highlights the security threat posed current and former employees and the need to implement effective user audit controls. Notably, this settlement came less than two months after OCR published guidance on the importance of audit controls (“Guidance”). As explained in the Guidance, the HIPAA Security Rule provision on Audit Controls (45 C.F.R. § 164.312(b)) requires HIPAA Covered Entities and Business Associates to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Additionally, this settlement demonstrates that conducting HIPAA security risk assessments are not enough; to the extent a risk assessment identifies security weaknesses or failures, the entity must address those risks in a timely manner. More information on HIPAA security risk assessments, and the HIPAA Security Rule generally, can be found here.

OIG Reports that State Medicaid Fraud Control Units Recovered $1.9 Billion in FY 2016

According to data published by the Department of Health and Human Services Office of the Inspector General (“OIG”), State Medicaid Fraud Control Units (“MFCUs”) recovered $1.9 billion in fiscal year 2016. MFCUs, which operate in 49 States and the District of Columbia, investigate and prosecute Medicaid provider fraud as well as patient abuse or neglect in health care facilities. MFCUs are usually a part of the State Attorney General’s office and employ teams of investigators, attorneys, and auditors. The OIG, in exercising oversight for the MFCUs, annually recertifies each MFCU, assesses each MFCU's performance and compliance with Federal requirements, and administers a Federal grant award to fund a portion of each MFCU's operational costs. An OIG report analyzing the data will likely be issued later this year. Until then, the raw data shows that the MFCUs conducted 18,730 investigations resulting 1,721 indictments, 1,564 convictions, and $1.9 billion in recoveries. New York had the largest amount of recoveries ($229 million), followed by Florida ($165 million) and California ($136 million).