A Reminder About BOI Reporting

We are hearing a great deal from our clients as they process the uncertainties related to federal appointments in the health sector. The new year will be an interesting one. Below is a reminder on an immediate concern for some of you:

The Beneficial Ownership Information (BOI) required to be reported under the Financial Crimes Enforcement Network (FinCEN) is still a requirement according to the U.S. Treasure’s Fact Sheet on the subject:

· Reporting companies created or registered before January 1, 2024, will have one year (until January 1, 2025) to file their initial reports, while reporting companies created or registered after January 1, 2024, will have 30 days after receiving notice of their creation or registration to file their initial reports.

· Reporting companies have 30 days to report changes to the information in their previously filed reports and must correct inaccurate information in previously filed reports within 30 days of when the reporting company becomes aware or has reason to know of the inaccuracy of information in earlier reports.

/by

Green Ridge Behavioral Health Resolution Agreement and Corrective Action Plan Following Ransomware Investigation by HHS OCR

According to the Resolution Agreement published by HHS, Office of Civil Rights that is charged with enforcing the HIPAA Privacy Rule standards, (45 CFR Part 160 and Part 164, Subparts A and E) as well as the security Rule (45 CFR Part 160 and Part 164 Subparts A and C) and the Breach Notification Rule (45 FR Part 160 and Part 164 Subparts A and D). Following a Breach Report, OCR investigated a ransomware attack involving PHI for over 14,000 patients which revealed GRBH’s noncompliance with both the Privacy and the Security Rules. The investigation indicated the following potential violations:

  • Failure to comply with the requirement to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to confidentiality and integrity of all ePHI (45 CFR §164.308(a)(l)(ii)(a))
  • Failure to comply with requirement to implement security measures sufficient to reduce risks and vulnerabilities to ePHI to reasonable and appropriate level. (45 CFR §164.308(a)(l)(ii)(B))
  • Failure to comply with requirement to implement policies and procedures to regularly review records of information system activity, such as incident tracking reports and access reports (45 CFR §164.308(a)(1)(ii)(A))
  • Failure to comply with the requirement to not use or disclose PHI except as permitted by the Privacy Rule. (45 CFR §164.502(a)).

The Resolution Agreement with Green Ridge Behavioral Health (GRBH) in late October, 2023, is not an admission or concession but is intended to resolve the investigation and any potential HIPAA violations and avoid further burden and expense of investigation and formal proceedings, according to the terms of the document. GRBH agreed to pay $40,000 in a lump sum payment within 3 days of the effective date of the agreement and agreed to comply with terms of a Corrective Action Plan (CAP) attached to the Agreement. The Agreement is binding on successors. Breach of the CAP, and failure to cure as set for the in the Cap, constitutes breach of the Resolution Agreement. Green Ridge will also conduct an audit of third-party vendors to ensure that business associate agreements are in place, and report to OCR if workforce members fail to comply with HIPAA.

The outcome of this investigation underscores the need for all behavioral health providers to give time and attention to compliance activities to minimize the risks to their organizations particularly in light of the number of breaches healthcare institutions and other providers are currently experiencing.

/by
,

RESOLUTION OF THE CHAOS SURROUNDING HIE PROPOSED RULES: HIE EXEMPTIONS AVAILABLE FOR ALL BUT PROVIDERS MUST APPLY

I have spoken with so many of my clients and colleagues this summer about the HIE statutes, rules and the machinations of the legislature. According to the proposed rules all licensed providers were required to show a good faith effort to join the MyHealth Access Network, the state’s designated Health Information Exchange by July 1, 2023. However, at issue has been a provision allowing exemption of some providers which was less that clear and hotly contested particularly by behavioral health providers. The Governor disapproved those rules on June 23, 2023.

OHCA drafted revised OKSHINE emergency rules, which were approved on July 17, 2023. These emergency rules now establish that, instead of applying for exemption from OKSHINE transmission and utilization requirements, “[a]ll providers that register [for] an exemption shall be granted such exemption and shall not be subject to pay subscription fees and/or connection fees.” Therefore, any healthcare providers who desire OKSHINE exemption status will automatically receive such an exemption after completing OHCA’s OKSHINE Exemption Registration Form. The form may be accessed at this link.

OHCA staff will review submitted forms, and then notify those providers of their OKSHINE exemption status. According to the language of the rule, “[t]he exemption will automatically renew annually unless the provider withdraws their exemption and elects to participate.”

/by
,

Tele-Prescribing Controlled Substances post-PHE

The federal government has declared that the COVID-19 Public Health Emergency (PHE) expires on 5/11/23Many things will occur on that day which I will endeavor to write about in the coming daysI have many clients and colleagues concerned with rules governing telehealth, so I will focus in my first posting for HLO on what may happen to the rules for tele-prescribing controlled substances post-PHEThe DEA and HHS jointly proposed rules early in 2023, largely characterized by institutional providers as burdensome and hindering access to care. The sponsoring agencies interpreted the responses to be overwhelmingly in opposition to the proposed rules, and so the proposed rules were abandoned.  The Ryan Haight Act of 2008, established the requirement that the practitioner prescribing controlled substances via the internet must have conducted at least one in-person medical evaluation of the patient, but the option the statute provided of a special registration requirement for telehealth-limited prescribers was also dismissed as too limitedDEA and HHS have now offered a Temporary Rule to the Office of Management and Budget (OMB) which was available online at federalregister.gov/d/2023-09936 on 5/9/23It seems that the agencies heard and acted upon the demand for continued flexibility for these providers and their patients’ needs. That rule provides that “[t]he full set of telemedicine flexibilities regarding prescription of controlled medications as were in place during the COVID-19 PHE will remain in place through November 11, 2023.”  In addition, a one-year grace period is established for any practitioner-patient telemedicine relationships established on or before 11/11/23 preserving the “full set of telemedicine flexibilities” in place during the COVID PHE. DEA is evaluating comments and preparing for implementation of final regulations.  The temporary rule, in effect until 11/11/24, adds new 21 C.F.R. 1307.41 and 42 C.F.R. 12.1. 

/by

Richard, healthcare counsel to review Stark Law, Anti-Kickback Statute final rules

Final Rules have been issued for both the Stark Law (“Stark”) and the Anti-Kickback Statute (“AKS”).  Healthcare providers and their counsel have been awaiting these new rules for some time now.  In the days ahead, Phillips Murrah healthcare counsel will be studying the 627 pages of the Stark Final Rules and the 1,000 pages of the AKS Final Rules in order to advise our clients with regard to these changes.

Stark: 

The Final Rules for Stark establish new and permanent exceptions for value-based arrangements which will apply broadly to care provided for all patients and not just Medicare patients.  Stark will continue to act to limit overutilization of services, fraud and other abuse in the healthcare industry but will offer increased flexibility for current strategies and activities to encourage value-based arrangements, coordination and improvement of care which are both reasonable and beneficial to patients.

AKS: 

The Final Rule includes seven new safe harbors and modifications of four existing safe harbors.  In addition, there is a new exception for Civil Monetary Penalties Act for Beneficiary Inducements.  Of interest to counsel for both physicians and hospitals is the Final Rule’s clarification of Fair Market (“FMV”) as related to physician compensation.  FMV has been a continued troublesome of scrutiny and debate by all participants in the healthcare industry.  Also significant for many healthcare clients are the modifications and clarification of provisions related to cyber security and digital technology.

/by