Life Science Compliance Update

« July 2014 | Main | September 2014 »

35 posts from August 2014

August 29, 2014

OIG Releases Special Fraud Alert: Laboratory Payments to Referring Physicians

Blood samples

Many physicians and other healthcare providers refer a high volume of patient specimens to third party clinical laboratories every day. The Office of the Inspector General (OIG) for the U.S. Department of Health and Human Services recently issued a Special Fraud Alert that addresses these relationship between labs and physicians.

The OIG’s Alert focuses on laboratories that may be violating the Federal Anti-Kickback Statute (AKS) in an effort to win business from referring physicians. OIG’s chief concern is that physicians will do business with the lab that pays the most, rather than the best lab, and that physicians will order tests that are not medically necessary, particularly if the payment arrangement is tied to the number of referred tests.

The OIG focused on two types of arrangements that they fear pose a substantial risk of fraud and abuse, including (1) specimen collection and processing, and (2) registry arrangements. 

Blood-Specimen Collection, Processing, and Packaging Arrangements (OIG notes this also applies to urine specimen and buccal swabs)

Physicians’ offices often collect, process, and ship patient specimens to clinical laboratories that offer diagnostic testing. The process for storing and shipping this sensitive material may include centrifuging the specimen, keeping it at a certain temperature, and packaging the specimen. Some diagnostic laboratories enter into arrangements with physicians to compensate them for the time and effort involved in this process. The OIG alert states that certain characteristics of a specimen processing arrangement may violate the anti-kickback statute.

Medicare already reimburses physicians for processing and packaging specimens for transport to a clinical laboratory through a bundled payment, so the OIG is concerned about the potential that physicians will be paid twice. For example, if the physician already receives a payment from Medicare, additional payments may demonstrate intent to violate the Anti-Kickback Statute, even if those payments are "fair market value."

OIG's specific factors include:

  • Payment that exceeds fair market value for services actually rendered by a physician;
  • Payment for services that are covered by a third party, such as Medicare;
  • Payment made on a per-specimen basis for more than one specimen collected in a single patient encounter, or on a per-test, per-patient, or other basis that takes into account the volume or value of referrals;
  • Payment is offered on the condition that the physician order either a specified volume or type of tests or test panel, especially if the panel includes duplicative tests (e.g., two or more tests performed using different methodologies that are intended to provide the same clinical information), or tests that otherwise are not reasonable and necessary or reimbursable.
  • Payment is made to the physician or the physician’s group practice, despite the fact that the specimen processing is actually being performed by a phlebotomist placed in the physician’s office by the laboratory or a third party.

Registry Arrangements

Second, the OIG focuses on a scenario in which laboratories establish databases to collect data on patients who have undergone or who may undergo certain tests performed by the laboratories, known as "registries" or "observational outcomes databases." OIG notes that these registry arrangements may have legitimate purposes to advance clinical research or provide other benefits, but often involve payments from the laboratories to the physicians for duties such as submitting data, answering patient questions, or reviewing reports.

 “Registry Arrangements may induce physicians to order medically unnecessary or duplicative tests, including duplicative tests performed for the purpose of obtaining comparative data, and to order those tests from laboratories that offer Registry Arrangements in lieu of other, potentially clinically superior, laboratories,” OIG states.

The Special Fraud Alert provides several examples of characteristics of a registry arrangement that may signal a kickback agreement, including where:

  • The laboratory requires, encourages, or recommends that physicians who enter into Registry Arrangements perform the tests with a stated frequency (e.g., four times per year) to be eligible to receive, or to not receive a reduction in, compensation.
  • The laboratory collects comparative data for the Registry from, and bills for, multiple tests that may be duplicative (e.g., two or more tests performed using different methodologies that are intended to provide the same clinical information) or that otherwise are not reasonable and necessary.
  • Compensation paid to physicians pursuant to Registry Arrangements is on a per-patient or other basis that takes into account the value or volume of referrals.
  • Compensation paid to physicians pursuant to Registry Arrangements is not fair market value for the physicians’ efforts in collecting and reporting patient data.
  • Compensation paid to physicians pursuant to Registry Arrangements is not supported by documentation.
  • The laboratory offers Registry Arrangements only for tests (or disease states associated with tests) for which it has obtained patents or that it exclusively performs.
  • When a test is performed by multiple laboratories, the laboratory collects data only from the tests it performs.
  • The tests associated with the Registry Arrangement are presented on the offering laboratory’s requisition in a manner that makes it more difficult for the ordering physician to make an independent medical necessity decision with regard to each test for which the laboratory will bill (e.g., disease-related panels).

Some final notes, worth considering:

First, by releasing this Fraud Alert, the OIG has signaled that it views these referral arrangements as "inherently suspect."

Second, perhaps most notably in its alert, the OIG cautioned that even arrangements performed on non-Federal healthcare program (FHCP) patients are not in the clear. The OIG has addressed this before in what they deem impermissible “swapping arrangements.” Accordingly, compensation for specimen collection or data registry services for non-FHCP patients may be scrutinized by the OIG as “disguised” remuneration for FHCP business.

Third, as noted above, referral arrangements do not have to be in cash to qualify as illegal remuneration under the AKS. Labs could offer free or reduced-price supplies or other in-kind benefits.

Finally, if the arrangement violates the AKS, both parties to the transaction are criminally liable.  An arrangement that violates the AKS may also violate the False Claims Act.

August 28, 2014

Open Payments Upcoming Outages; Review & Dispute Extended to September 10th

CMS still aiming to publish its data by September 30th.


The Centers for Medicare and Medicaid Services (CMS) just emailed out new updates for physicians looking to access their payment data on Open Payments: 

Access to the Open Payments system will be unavailable for approximately two days due to the upcoming maintenance updates at the CMS Data Center.

"Please plan accordingly and we apologize for any inconvenience. CMS will alert you of each outage, as they are scheduled, with as much notification as possible."

Date: Saturday, 8/30/2014
Start Time: 1:00 a.m.
End Time: 11:00 a.m.

Date: Saturday, 9/5/2014
Duration Time: More information to follow next week.

For questions please contact the Open Payments helpdesk (see below).

To allow ample time in the review, dispute and correction processes, CMS is extending the deadlines for review and dispute, and correction. The revised timeline is below:

  • Review and dispute (45 days): 7/14/2014 – 8/3/2014, 8/14/2014 – 9/10/2014
  • Correction period (15 days): 9/11/2014 – 9/25/2014

The date for data publication remains the same, September 30, 2014.

CMS states: For more information about Open Payments, please visit the Open Payments website. If you have any questions, you can submit an email to the Help Desk at Live Help Desk support is available by calling 1-855-326-8366, Monday through Friday, from 7:30 a.m. to 6:30 p.m. (CT), excluding Federal holidays.


Electronic Health Records Update: As Adoption of EHRs Increases, So Do Privacy and Data Security Concerns



Physicians in all specialties have steadily adopted electronic health records (EHRs). However, as doctors have embraced technology for streamlining patient records, we have seen a marked uptick in data breaches by hackers who want access to the reams of information stored in these systems. 

Current State of Electronic Health Records: High EHR Adoption, Low Interoperability

A soon to be published article in Health Affairs outlines the current state of EHR adoption: “Using data from the 2009–13 Electronic Health Records Survey, we found that EHR adoption continues to grow: In 2013, 78 percent of office-based physicians had adopted some type of EHR, and 48 percent had the capabilities required for a basic EHR system.”

This is a good thing in many ways. Technology allows doctors to quickly look at patients’ medical history and search for patterns, making it easier to diagnose conditions and reduce unnecessary testing. Doctors may also be able to track lab results faster and share progress with their patients. But the true potential of EHRs lies in the interoperability of patient records. As doctors begin to use EHRs to securely share health information outside of their organization, a wide variety of providers would be able to access information about a patient’s medication, health issues, and tests. This would be especially useful in emergency treatment situations.

The Health Affairs report, however, found that “physicians’ electronic health information exchange with other providers was limited, with only 14 percent sharing data with providers outside their organization.” Sens. Ron Wyden (D-Ore.) and Chuck Grassley (R-Iowa) recently issued a call for comment on health care data "interoperability." The American Medical Group Association (AMGA) responded: While “[h]ealthcare data, and its transparent use, has the potential to better educate the consumer/patient and drive significant change and improvement in the delivery system...[c]urrently, data is fragmented among provider, payor, and government silos, and often jealously protected.”

The Big Concern: Data Breaches

Ironically, the very technology that allows health records to be exchanged between physicians and hospitals also makes them susceptible to data breaches. Furthermore, because EHRs bundle a lot of important information in one place, hackers have access to personal identification information, insurance information, lab results, and a host of other private, potentially lucrative data.

In April, Reuters reported that the FBI warned healthcare organizations that their electronic data protection systems were lax compared with other sectors. “Health data is far more valuable to hackers on the black market than credit card numbers because it tends to contain details that can be used to access bank accounts or obtain prescriptions for controlled substances.” In a letter circulated to healthcare providers, the FBI stated: "The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.” (Reuters).

Flash forward a few months to August 20. Last week, the FBI issued a flash alert warning to healthcare organizations that they are being directly targeted by hackers (Reuters). 

The FBI alert came shortly after the recent breach of Community Health Systems (CHS), a hospital chain based in Tennessee. CHS is one of the largest hospital operators in the country, with more than 200 hospitals in 29 states. CHS reported in their SEC filing that the breach resulted from a targeted, external cyber-attack of CHS’ computer network in April and June, 2014. CHS believes the attacks originated from China and involved "highly sophisticated malware and technology" that enabled the attacker to bypass CHS’s security measures. The incident is reportedly the second largest HIPAA breach ever reported and the largest hacking-related HIPAA data breach ever reported (iHealthBeat). 

HIPAA Violation? 

According to CHS' SEC filing, the attackers were able to copy and transfer data, including patient namesaddressesbirth dates, and, worst of all, Social Security numbers, to networks outside of CHS. Notably, the attackers did not acquire credit card numbers or any medical or clinical information. HIPAA privacy laws, however, cover all of the stolen personal information.

Under HIPAA, covered health care entities and their business associates must analyze internal and external security threats to the data they hold and implement reasonable and appropriate safeguards based on a variety of risk factors, the entity's technical infrastructure, and the costs of the security measures.

In CHS' case, the novelty of the attack may play to their favor. Info Security states: "The widely publicized recent Community Health Systems data breach that compromised the private information of about 4.5 million patients, has been shown to have resulted from the Heartbleed vulnerability – marking the first time Heartbleed has been linked to an attack of this size. According to researchers, these events should point out changing security concerns for the healthcare environment." (Read more about the "Heartbleed" Bug here). 

Because the Heartbleed vulnerability had not been used to hack healthcare records in the past, CHS may not have been on notice about the weakness in its security system. "Prior to hitting the news, it would be hard to say they were liable because no one knew about it and everyone relied on SSL, so it was reasonable and appropriate to rely on it as an industry standard at that point," said Perkins Coie LLP partner Dean Harvey. However, "[t]hey would have a hard time under HIPAA saying that they took reasonable and appropriate safeguards if they knew the Heartbleed vulnerability was out there and they didn't apply the appropriate patches," Harvey said. (Law 360). The level of encryption that CHS employed may also play a significant role in the company's potential liability, attorneys say.

Regardless of the merits, according to the National Law Journal, five individuals from Alabama are already suing the company, claiming CHS took too long to report the breach. They allege that CHS didn't give patients enough time to protect themselves from identity theft.

Additional Data Breaches

Capital New York recently ran a story on the recent slew of data breaches:

“The numbers are staggering. The Centers for Medicare and Medicaid Services tracks nearly 300,000 compromised Medicare-beneficiary numbers. The Office for Civil Rights received more than 77,000 complaints regarding breaches of health information privacy and completed more than 27,000 investigations, which have resulted in more than 18,000 corrective actions.

“During the last three years, the U.S. Departments of Health and Human Services has recorded 18 breaches in New York compromising more than 100,000 patient records (though 97,000 came in one breach), including some of the most respected names in the industry such as Memorial Sloan Kettering, North Shore-L.I.J. and Mount Sinai.

Some of the largest breaches have come from medical centers with stellar clinical reputations,” said Ken Rashbaum, an attorney with Barton L.L.P., who specializes in cases related to the federal Health Insurance Portability and Accountability Act (HIPAA), and advises hospitals and health systems on how to remain in compliance with state and federal privacy laws. “Stanford, Johns Hopkins. There have been several others around the country that have had data breaches of one kind or another. There is no correlation between the egregiousness of the breach and the clinical quality of the institution." (Capital New York)

The National Law Review provided a breakdown of recent breaches in the last year involving information held by healthcare providers. (For a full list of breaches, acces the Office for Civil Rights):

  • A breach reported by St. Joseph Health System in Texas affecting 405,000 individuals. The breach may have included names, Social Security numbers, medical information, etc.
  • A breach reported by UW Medicine in Washington affecting over 76,000 individuals.
  • A breach reported by Centura Health in Colorado affecting over 12,000 individuals.
  • A breach reported by Nrad Medical Associates in New York affecting 97,000 individuals.
  • A breach reported by the Montana Department of Public Health and Human Services affecting over 1,060,000 individuals.

An important takeaway from these latest breaches is that the threat to patients is more than financial. “When someone steals your medical identity and falsely bills an insurance company for an insulin pump, your insurer might conclude that you are diabetic,” states Pam Dixon, executive director of the nonprofit World Privacy Forum based in San Diego. “If a medical record is altered, whether by a doctor or a hacker, those alterations can follow a patient forever, providing subsequent doctors with incorrect medical information that could alter a diagnosis.” (Capital New York)


Preview | Powered by FeedBlitz


April 2018
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30