As Genetic Testing Booms and Fraud and Abuse Scrutiny Increases, Providers Need to Keep Medical Necessity in Mind
On April 10, 2017, the United States Department of Justice (“DOJ”) announced that Prestige Healthcare (“Prestige”), a multi-state nursing home operator, agreed to pay $995,500 to resolve allegations that it participated in a genetic testing scheme in violation of the federal False Claims Act (“FCA”). According to the DOJ press release, Prestige was approached by Genomix LLC, which claimed that it could conduct genetic testing on Prestige’s Medicare residents to determine whether they were “properly metabolizing” medication. Prestige provided Genomix with insurance and medical information for, and access to, residents in its nursing homes to conduct the cheek-swab genetic tests, but failed to obtain physician orders for such tests or confirm with treating physicians that the tests were medically necessary. Additionally, Prestige allegedly failed to inform patients about the testing, and offer them a chance to decline.
In order to bill laboratory services to Medicare, a health care facility must obtain the treating physician’s signed order and documentation to support medical necessity for the ordered service(s). Services that are deemed excessive or not medically necessary can be prosecuted as false claims under the FCA. As government health care dollars continue to flow into the genetic laboratory testing sector, government agencies will likely increase investigations of possible fraud and abuse. As stated by Lamont Pugh III, Special Agent in Charge for the Office of Inspector General of the U.S. Department of Health and Human in the DOJ press release: “As genetic testing technology is evolving, we see the same types of clinical testing abuses that are evident in more established testing. Along with our law enforcement partners, we will investigate and prosecute violations in these newer health care technologies.”
As medical professionals continue to work with the genetic testing industry to determine which tests are reliable and whether they should be integrated into medical care, providers need to take care to only order tests deemed medically necessary by a treating physician. Providers should also be wary of partnering with genetic testing companies that propose aggressive testing regimes.
House Republican Leaders Attempt to Revive the American Health Care Act with Risk-Sharing Fund Amendment
On April 6, 2017, shortly before adjourning for a two-week recess, the House Committee on Rules approved an amendment to the American Health Care Act (“AHCA”) to create a nine-year, $15 billion, “Invisible Risk Sharing Program” to reimburse health insurers offering plans in the individual market for high-cost enrollees (“Amendment”). The Amendment, sponsored by Gary Palmer (R-AL) and David Schweikert (R-AZ), marks the first official attempt to revive the AHCA, which Republican leaders pulled from consideration on March 24, 2017 due to insufficient support. The Amendment, which aims to lower premiums for health coverage offered in the individual market, does not describe how insurers would apply for reimbursement from the program, what types of claims would qualify, or the mechanisms by which the program would operate. It is unlikely that this Amendment alone will be enough to convince House Speaker Paul Ryan to bring the AHCA to the floor for a vote. In an interview with Fox News, Ryan called the amendment “real progress,” but added that Republicans are working on other ideas to build a Republican consensus. We will continue to closely monitor health reform progress once the House is back in session.
Failure to Conduct a HIPAA Security Risk Assessment Results in Fine and Corrective Action Plan for Federally Qualified Health Center
On April 12, 2017, the United States Department of Health and Human Services, Office for Civil Rights (“OCR”) announced a $400,000 Health Insurance Portability and Accountability Act (“HIPAA”) settlement and corrective action plan with Metro Community Provider Network (“MCPN”), a federally-qualified health center (“FQHC”), based on the FQHC’s lack of a security management process to safeguard electronic protected health information (“ePHI”). While the settlement amount is substantially lower than other recent HIPAA breach settlements, OCR emphasized that it considered MCPN’s status as a FQHC that provides health care services to patients at or below the poverty level in determining the settlement amount.
According to the OCR press release, in early 2012 MCPN filed a breach report with OCR indicating that a hacker accessed employees' email accounts and obtained 3,200 individuals' ePHI through a phishing incident. OCR’s subsequent investigation revealed that while MCPN took necessary corrective action related to the phishing incident, it had failed to conduct the required HIPAA security risk analysis prior to the hacking breach to determine any risks or vulnerabilities in its ePHI environment. Consequently, it also had not implemented any corresponding risk management plans. Although MCPN conducted a risk analysis after the breach incident, OCR also determined that the completed risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the HIPAA Security Rule (45 C.F.R. §§ 164.302 – 318).
This settlement highlights that conducting a HIPAA Security Rule risk assessment it is not enough. Providers need to both (1) take care that the risk analysis meets the requirements of the HIPAA Security Rule, and (2) act to address any deficiencies identified in the risk analysis and develop corresponding risk management plans. The National Institute of Standards and Technology (”NIST”) developed the “NIST HIPAA Security Toolkit Application” to help organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environment.