Labs remain at the forefront of the federal government’s suspicious persons list and health care fraud enforcement agenda. But in addition to the customary laws that labs are used to, the government made some new ones in 2019, including scary regulatory requirements that garnered little attention. There were also significant new enforcement policy changes, including with regard to HIPAA. Here’s a rundown of what we at G2 voted the five most significant new laws that lab compliance managers need to be aware of entering the new year, along with the steps necessary to meet the compliance challenge each one of them creates.
- EKRA Casts New Kickback Doubts on Existing Lab Marketing Arrangements
Compliance Challenge: Massive concerns from a law adopted in October 2018 was the biggest story in lab compliance in 2019. The
Eliminating Kickbacks in Recovery Act of 2018 (EKRA) provides for criminal penalties of up to $200K and 10 years in prison for knowingly and willfully: i. soliciting or receiving any remuneration in return for referring a patient to a lab; or ii. paying or offering any remuneration to induce a referral of an individual, or in exchange for an individual using the services of a lab. The headline isn’t the restriction, which overlaps with current Anti-Kickback Statute (AKS) and Stark Law (Stark) rules but the fact that EKRA lacks the exceptions and safe harbors that apply to those existing laws.
What To Do: Unless and until the DOJ issues guidance or Congress adopts clarifying legislation, lab compliance officers must revisit the arrangements they carefully crafted to meet AKS and Stark to ensure they meet EKRA (including arrangements with private payors since EKRA is an all-payor statute), especially:
- Commissions and variable pay arrangements tied to the value or volume of lab testing generated with marketing, sales, accounting and other representatives;
- Leases of office space between your lab and referring physicians; and
- Participation agreements with Accountable Care Organizations (ACOs).
- Broad New Medicare Affiliates Exclusions Rule
Compliance Challenge: While EKRA has garnered lots of attention, an even scarier new law has flown under the radar. In November, a new Final Rule took effect giving CMS broad new powers to exclude or deny Medicare enrollment to labs that currently affiliate or have affiliated over the past five years with individuals and organizations that pose an “undue risk” of committing fraud, waste or abuse.
What To Do: Vetting your current principals, employees and business affiliates is no longer enough. To avoid potential exclusion under the “affiliates” rule, you must now do background checks on all affiliates with which your lab has associated during the five-year lookback period to ensure they haven’t been excluded from a government health program. The term “affiliate” is defined broadly to include those that have or had:
- A direct or indirect ownership of 5% or more in another organization;
- A general or limited partnership interest, regardless of percentage;
- An interest in which an individual or entity “exercises operational or managerial control over, or directly conducts” the daily operations of another organization “either under direct contract or through some other arrangement”;
- A role as an officer or director of a corporation; or
- Any reassignment relationship with the organization.
If you find that affiliates have been excluded or involved in healthcare fraud, you must come forward and disclose it to CMS if the agency requests it. However, disclosure obligations are expected to become more active and waiting for a CMS request won’t be good enough.
- New CMS Exclusion Rules for Not Reporting Minor Infractions
Compliance Challenge: In addition to the “affiliates” provisions, the new November Final Rule allows CMS to exclude labs for failing to report minor state disciplinary offenses committed by advanced practice nurses, therapists, physician assistants and other licensed health professionals they employ.
What To Do: While it probably won’t affect the scope of current background checks, labs will have to broaden their CMS reporting and disclosure rules to meet the new rules. Historically, labs only had to report to CMS state board administrative actions that placed restrictions on a licensee, such as licensing suspension or revocation. Now, you’ll have to report even minor licensing board actions, e.g., fines or reprimands for failing to timely complete required continuing education courses, or actions settled to avoid the costs of filing an administrative appeal. Moreover, the new rule covers the actions of not only state oversight boards but also:
- Actions of a federal or state health care program;
- Determinations of an Independent Review Organization (IRO); or
- Actions of any other equivalent governmental body or program that oversees, regulates or administers health care providing and that involve underlying facts reflecting improper physician or other eligible professional conduct that led to patient harm.
- Proposed New Kickback Relief Rules
Compliance Challenge: On Oct. 9, 2019, CMS finally revealed its long-awaited kickback reform proposals. And while the proposals do offer substantial relief by creating broad new exceptions for value-based care, EHR, cybersecurity and ACOs, the agency doesn’t want to let labs participate in the proposed new exceptions. “On the basis of our historical enforcement and oversight experience, we are concerned that [some labs] . . . might misuse the proposed safe harbors to offer remuneration to practitioners and patients to market their products.”
What To Do: Lab compliance officers will have to pay close attention to the Final Rule which CMS is expected to publish after responding to the public feedback in January. The key thing to watch for is whether the agency backs down from its proposal to cut out labs from the new exceptions. In either case, there are parts of the proposed rule that benefit labs, including:
- Clarification of “commercially reasonable” compensation for purposes of applying current AKS and Stark exceptions;
- The new definition of “fair market value” for purposes of applying the current exception for equipment or property rentals;
- The elimination of the current “period of disallowance” waiting period for arrangements between labs and physicians that fail to qualify for a Stark exception;
- The expansion of the 90-day grace period for Stark exceptions, which would allow labs and physicians to not only sign but also execute the required documents during the 90 days; and
- The new exception for arrangements in which labs pay a physician less than $3,500 in a calendar year.
- The New HIPAA Enforcement Initiative
Compliance Challenge: Historically, HIPAA enforcement has focused predominantly on the failure of labs and other covered entities to keep protected health information (PHI) private and secure. But in March, the HHS Office for Civil Rights (OCR) announced a new enforcement campaign targeting providers that keep PHI too close to the vest by denying patients their access rights. On Sept. 9, 2019, the OCR announced its first action under its so called Right of Access initiative, an $85,000 settlement with a Florida hospital for denying a mother timely access to her unborn child’s PHI. OCR struck again on Dec. 12, by announcing another settlement for the same amount with a Florida primary care and interventional pain management firm that failed to forward a patient’s PHI in electronic format to a third party.
What To Do: While denying individuals access to their PHI has always been illegal, thanks to Right of Access, it now carries the real risk of fines and other penalties. That makes it imperative for compliance officers to do a full scale review to ensure that IT systems are in place and lab staffers are doing a good job of respecting patients’ rights to see, copy and amend their lab records in the requested format and without being overcharged for doing so.