The health care regulatory scheme has experienced significant changes over the past year. In March 2010, Congress passed the most sweeping health care legislation since the implementation of Medicare. Additionally, Congress has altered some regulatory schemes in the areas of privacy laws that will significantly affect health care providers. Below is a discussion of some of these regulatory changes. In the coming weeks, we will expand our discussions in this area and provide additional updates. We hope this information will be helpful to you.
PATIENT PROTECTION AND AFFORDABLE CARE ACT (“PPACA”)
On March 30, 2010, President Obama signed into law the final version of the PPACA. The purpose of the PPACA is to supply affordable coverage to a larger number of individuals. PPACA also significantly impacts numerous existing regulatory laws and adds additional regulatory requirements:
Whole Hospital Exception
As part of PPACA, Congress eliminated the Whole Hospital Exception to Stark that allowed physicians to own or have an ownership interest in a hospital. The removal of this exception effectively prevents a physician from owning a specialty hospital or from having an ownership interest in any hospital. The amendment eliminating this extension allows hospital with current physician ownership to continue as long as there is no expansion. The effective date for this legislation is unclear but generally it is though that only those hospitals that have a provider agreement in place by December 31, 2010 may utilize the exception.
PPACA requires the Department of Health and Human Services (“HHS”) to create a self-disclosure protocol under which providers may self-disclose violations of the Stark Law. After the Office of Inspector General (“OIG”) limited self-disclosure to Illegal-Remuneration violations, PPACA requires the HHS and the OIG to design the protocol by the end of the year. PPACA also grants to HHS the authority to resolve a Stark violation and assess the penalty for the violation.
False Claims Act
PPACA broadens the reach of the False Claims Act (“FCA”) both in self-regulation and in aligning with Illegal Remuneration violations. PPACA requires providers to report and return over-payments within 60 days of discovering the overpayment; failure of which will result in a false claim. PPACA also clarifies that a violation of the anti-kickback statute also is a violation of the False Claims Act.
Accountable Care Organizations
PPACA establishes a new program in which groups of providers and suppliers come together in a coordinated effort to provide care to Fee For Service beneficiaries. The program is to be created by HHS by January 12, 2012 and the details have yet to be delineated. ACO’S would be entitled to payments under Medicare Parts A and B as well as portions of shared savings under quality performance standards. The specific details related to how ACO’s are to be created have not been enacted. Further, how ACO’s will be exempt from Stark and Illegal Remuneration is not yet known.
As part of the 2009 Stimulus Package (American Recovery and Reinvestment Act of 2009), Congress included The Health Information Technology for Economic and Clinical Health Act (“HITECH”). This law expanded the HIPAA privacy requirements to business associates with attendant civil and criminal penalties for violations. Additionally, HITECH created notification requirements for security breaches. On July 18, 2010, HHS promulgated proposed regulations that would modify HIPAA. Many of the changes modify HIPAA to conform to HITECH. Most important though is the revision of the “business associate” definition to include subcontractors of the business associate, making subcontractors subject to the notice requirements and the civil and criminal penalties. Under the regulations, not only would the business associate be subject to penalties but also the covered entity potentially could be responsible for the business associate’s breach even with a valid business associate agreement in place. An individual’s privacy is increased through the rules that stop the sale of protected health information (“PHI”), limit the use of PHI for marketing purposes, and expand the individual’s access to PHI.