SPSK Health Law Dispatch March 2017
The Common Rule, Finally Revised
By Daniel O. Carroll, Esq.
On January 19, 2017, the U.S. Department of Health and Human Services and fifteen other federal departments and agencies issued final revisions to the Federal Policy for the Protection of Human Subjects (commonly known as the “Common Rule”). The final rule implements significant revisions to modernize and enhance the Common Rule with the stated intention “to better protect human subjects involved in research, while facilitating valuable research and reducing burden, delay, and ambiguity for investigators.” 82 Fed. Reg. 7149 (Jan. 19, 2017). Importantly, a majority of the revisions to the Common Rule do not require compliance until January 19, 2018, which allows research institutions time to implement necessary changes. Research initially approved by an Institutional Review Board (“IRB”) or determined to be exempt prior to January 19, 2018 remains subject to the pre-2018 Common Rule requirements. Research initially approved by an IRB or determined to be exempt on or after January 19, 2018 is subject to the revised Common Rule requirements.
The Common Rule still only applies to federally funded research unless a recipient of federal funds is required by a federal agency to apply Common Rule protections to other research. While not all proposed revisions to the Common Rule were adopted, the final rule does include some major revisions of note.
With respect to the reach of the Common Rule, the final rule changes the regulatory definition of research and establishes new exempt categories of research based on their risk profile. Under the revised Common Rule, the following activities have been removed from the definition of research: (1) certain scholarly and journalistic activities; (2) public health surveillance activities; (3) collections/analyses for criminal justice or criminal investigative purposes; and (4) authorized operational activities in support of national security missions. In addition, there are now eight categories of exempt research based on risk profile, some of which will still require limited IRB review to ensure that there are adequate privacy safeguards for identifiable private information and identifiable biospecimens.
Informed consent requirements have changed to ensure that prospective research subjects are provided with key information most likely to assist a reasonable person in deciding whether or not to participate in research. The revised Common Rule also allows the use of broad consent (i.e., seeking prospective consent to unspecified future research) for storage, maintenance, and secondary research use of identifiable private information and identifiable biospecimens. A further revision to foster the use of better consent forms requires the posting of one IRB approved informed consent form on a publicly available federal website. Moreover, the final rule seeks to reduce the administrative burden of, and increase efficiencies in, IRB oversight by requiring most U.S.-based institutions engaged in multi-site research to use a single IRB by the year 2020 for that portion of the research that takes place within the United States.
The full text of the final rule can be found here. Of course, like all federal regulations (particularly recently adopted regulations), the regulations revising the Common Rule may be subject to repeal, change or delay in implementation. For more information, contact Daniel O. Carroll at [email protected], or (973) 631-7842.
New Jersey Lawmakers Aim to Curb Opioid Abuse
By Meghan V. Hoppe, Esq.
On February 15, 2017, New Jersey Governor Chris Christie signed into law, P. L. 2017, c. 28. The new law places certain restrictions on the prescribing, administering or dispensing of controlled dangerous substances, with specific limitations for opioid drugs. It also establishes special requirements for the management of acute and chronic pain; requires health insurance plans to provide unlimited benefits for inpatient and outpatient treatment of substance use disorders at in-network facilities; and requires health care providers to attend related continuing education classes.
The law imposes restrictions on how opioids and other Schedule II controlled substances may be prescribed. In cases of acute pain, a practitioner cannot issue an initial prescription for an opioid drug in a quantity exceeding a five-day supply, and it must be in the lowest effective dose of an immediate-release opioid drug. Practitioners are able to extend the prescription after the fourth day if the patient’s pain has not subsided. The law further requires practitioners to include a note in the patient’s medical record that the patient, or the patient’s parent or guardian, has been advised of the risks of developing a physical or psychological dependence on the controlled dangerous substance and alternative treatments that may be available. Specifically exempted from this limitation are patients in active treatment for cancer, receiving hospice care, palliative care, or residing in a long-term care facility.
The law will also require that health insurers, the State Health Benefits Program, and the School Employees’ Health Benefits Program provide unlimited benefits for up to six months of medically ordered inpatient and outpatient treatment at in-network facilities for substance use disorders. If there is no in-network facility immediately available, insurers must provide necessary exemptions to their network to ensure the covered person’s admission in a treatment facility within twenty-four hours. The law prohibits insurance companies from requiring prior authorization for the services for the first 180 days per plan year.
The law also will require certain health care professionals, including Physicians, Physician Assistants, Dentists, and Optometrists, to complete one continuing education credit on topics that include responsible prescribing practices, alternatives to opioids for managing and treating pain, and the risks and signs of opioid abuse, addiction, and diversion.
The bipartisan bill passed both houses of the Legislature without opposition and will go into effect May 16, 2017. Referencing the “public health crisis brought about by opioid and heroin abuse”, and in anticipation of the law becoming effective in May, the Attorney General and the State Board of Medical Examiners implemented emergency rules, effective as of March 1, 2017, to remain in effect for sixty (60) days. The rules amended N.J.A.C. sections 13:35-2A.14; 2B.12; and 7.6. The emergency rules were also concurrently proposed for re-adoption to permit members of the regulated community and the public to submit comments concerning the rules and the intention of the Attorney General and Board to make these rules permanent. The emergency rules implement certain provisions of the new law immediately, and also provide that failure to adhere to the standards set forth in the new rules will provide a basis for the Attorney General and the Board to seek emergent action to suspend or limit a practitioner’s license.
For more information, contact Meghan V. Hoppe at [email protected], or (973) 540-7351.
Court Upholds Self-Critical Analysis Privilege Under the Patient Safety Act
By Peter A. Marra, Esq. and Benjamin A. Hooper, Esq.
On February 6, 2017, in the matter Brugaletta v. Garcia, D.O. et. al., the New Jersey Appellate Division held that pursuant to the Patient Safety Act, N.J.S.A. 26:2H-12.23 et seq., (the Act), the absolute privilege over certain documents that a hospital develops as part of a self-critical analysis in accordance with its safety plan is not waived based upon a failure of the hospital to report the event to the New Jersey Department of Health. In this medical malpractice action, the plaintiff alleged that a hospital and various medical providers negligently diagnosed her ruptured appendix and failed to detect a pelvic abscess. Plaintiff asserted that she developed fasciitis which required multiple debridement procedures and intravenous antibiotics administration.
In response to plaintiff’s discovery demands, the hospital identified, but withheld as privileged, a document described as an “Event Detail History with all Tasks.” Plaintiff sought to compel production of the document. The trial court ruled that the plaintiff suffered a “serious preventable adverse event” (SPAE) and that the hospital failed to report it to the New Jersey Department of Health or disclose it to plaintiff. The trial court held that under these circumstances it was appropriate to disclose portions of the documents to the plaintiff.
On appeal, the New Jersey Appellate Division reversed the lower court. The appellate court held that the trial court erred in predicating the self-critical analysis privilege on the hospital’s compliance with its obligation to report a SPAE to regulators or the patient. The Appellate Court ruled that the only statutory precondition of the self-critical analysis privilege is compliance with section (b) of the Act which requires hospitals to “develop and implement a patient safety plan.” N.J.S.A. 26:2H-12.25(b). The court stated that the self-critical analysis is protected as long as it is conducted according to the hospital’s safety plan. Additionally, the appellate court concluded that the trial court erred in determining that the hospital violated its reporting obligation because the trial court’s finding that the plaintiff suffered a SPAE lacked sufficient supporting evidence in the record.
This decision reaffirms the confidentiality and privilege of self-critical analysis performed pursuant to a hospital’s patient safety plan. For more information, contact Peter A. Marra at [email protected], or (973) 540-7311, or Benjamin A. Hooper at [email protected], or (973) 631-7847.
Inexcusable Delays in Compliance Result in First HIPAA Settlements of 2017
By Deborah A. Cmielewski, Esq.
The Department of Health and Human Services, Office for Civil Rights (“HHS”) hit the ground running in 2017 with two settlements that resulted from inexcusable delays in HIPAA compliance by covered entities. These settlements arose from breach notifications made several years ago by Presence Health Network (“Presence”), a comprehensive health care system in Illinois, and Children’s Medical Center of Dallas (“Children’s), one of the nation’s largest pediatric health care centers.
In HHS’ first settlement of 2017, Presence agreed to pay a resolution amount of $475,000 and to enter into a Corrective Action Plan arising from the theft of paper-based operating room schedules containing the protected health information (“PHI”) of 836 patients. Although Presence became aware of the breach on October 22, 2013, due to alleged miscommunications between its workforce members, it failed to make breach notification to affected individuals, HHS and the media for more than 100 days. The Breach Notification Rule requires such notifications without unreasonable delay and in no event more than 60 calendar days following the discovery of a breach. The Corrective Action Plan required Presence to revise its relevant policies and procedures, to train its staff and to provide HHS with ongoing reports relating to these issues.
On February 1, 2017, HHS imposed a $3,217,000 civil monetary penalty against Children’s, arising from the loss of an unencrypted, non-password protected Blackberry device that contained the electronic PHI of approximately 3,800 patients. HHS’ investigation revealed that Children’s engaged an external consultant to evaluate its security risks and had actual knowledge of the potential risks to ePHI dating back to at least 2007. Despite the availability of commercial encryption products, Children’s issued unencrypted mobile devices from 2007 until at least 2013. Notably, HHS issued a Notice of Proposed Determination on September 16, 2016 and offered Children’s the opportunity to request a hearing. Children’s failed to request a hearing within the required time frame and HHS issued a Notice of Final Determination that rendered the civil monetary penalty final. HHS determined that Children’s demonstrated a pattern of non-compliance that continued over a period of years; it had no risk management program in place and failed to encrypt mobile devices issued to workforce members or to institute a sufficient alternative, despite a recommendation by an external consultant to do so.
These settlements underscore the danger to HIPAA-covered entities of permitting inexcusable delays to affect their compliance efforts. Despite their considerable size and resources, Presence and Children’s failed to adhere to the basic tenets of HIPAA compliance. Covered entities and business associates should implement a methodical review of their policies and procedures, training programs and risk management plans.
For more information, contact Deborah A. Cmielewski at [email protected], or (973) 540-7327.
Podiatriac Physicians Continue to Face Rising Audits
By Brian M. Foley, Esq. and Sharmila D. Jaipersaud, Esq.
Podiatrists have recently been at a higher risk for audit by both government and commercial payers. One of the most common areas for audit has been the HCPCS orthotic code, L3000. The L3000 is a customized removable foot insert, molded to the patient, with a raised heel cup. The L3000 is created using a three-dimensional model of the patient’s foot. Such model can be created by casting, foam, or even a digital image. Recently, a number of payers have denied payment for the L3000 based on a variety of factors, ranging from a determination that L3000’s are not in existence in their current form, to a determination that the true code should be L3020. Another reason the payers are denying reimbursement is that the services rendered for the L3000, and the casting and fitting, should be bundled and not billed separately. Whether it is a prospective denial of a claim, a demand for repayment of prior claims, or a combination of the two, the outcome of these audits can be significant to a practice.
Audits can be triggered for a number of reasons, such as, if a practice stands out statistically, or if someone has filed an allegation against the provider. Audits can also be random. A payer’s demand for recoupment of an alleged overpayment is often based on extrapolation, a method of reviewing only a small sample of patient records, and then asserting an error rate against all claims. For example, if the payer reviews 40 records and alleges that 20 of them contain billing errors, the payer often will seek to extrapolate an error rate of 50% against the universe of claims for that provider. The payer may make a demand for recoupment based on a 50% error rate for the entire practice. Usually, such a conclusion is not borne out by the facts. The use of extrapolation is limited and most payers seek to use it at times, and in a manner that is not appropriate. It is always important to review billing practices to insure your charts are complete and support your coding practices, and if you are audited, contact knowledgeable legal counsel. For more information, contact Brian M. Foley at [email protected], or (973) 540-7326, or Sharmila D. Jaipersaud at [email protected], or (973) 631-7845.
Attorney Advertising: This publication is designed to provide Schenck, Price, Smith & King clients and contacts with information they can use to more effectively manage their businesses. The contents of this publication are for informational purposes only. Neither this publication nor the lawyers who authored it are rendering legal or other professional advice or opinions on specific facts or matters. Schenck, Price, Smith & King, LLP assumes no liability in connection with the use of this publication. Copyright ? 2017 Schenck, Price, Smith & King, LLP
(973) 539-1000