COVID-19-Related Healthcare Fraud and Anti-Kickback Enforcement
Focuses on Laboratory Testing
While the U.S. Department of Justice (DOJ) has identified and pursued a variety of fraud schemes and activities related to COVID-19 (such as sales of fake testing kits and PPE, price gouging, and fraudulent offers for free COVID-19 testing in order to obtain Medicare beneficiary information that is used to submit false medical claims), several recent cases involving laboratory testing demonstrate that this is a key area of healthcare fraud and anti-kickback enforcement during the pandemic. Read the full article here.
In May and June, the Office of Civil Rights at the U.S. Department of Health and Human Services (OCR) issued additional HIPAA guidance relevant for healthcare providers during the COVID-19 pandemic. The guidance issued on May 5, 2020 reminds healthcare providers that they must obtain a valid HIPAA authorization from each patient whose protected health information (PHI) will be accessible in any form (e.g., written, electronic, oral, or other visual or audio form) to the media or film crew before the media is given access to the PHI. Note that a patient’s presence in an area of a healthcare facility that is dedicated to the treatment of a specific disease or condition, such as COVID-19, reveals the patient’s diagnosis. Masking or obscuring patients’ faces or identifying information when airing the recording of the patient is not sufficient. Further, healthcare providers may not require a patient to sign a HIPAA authorization as a condition of receiving treatment. A link to the May Guidance is available here.
On June 12, 2020, OCR issued guidance on how HIPAA permits healthcare providers to contact their patients who are recovered from COVID-19 to inform them about how they can donate their blood and plasma containing antibodies to help other patients with COVID-19. Specifically, HIPAA permits using or disclosing PHI for treatment, payment, and healthcare operations without an individual’s authorization. Healthcare operations include population-based activities related to improving health, case management, and care coordination. However, providers cannot use the PHI for marketing purposes (e.g., receive any payment from or on behalf of a blood and plasma donation center in exchange for such communications with recovered patients) without patient authorization. Uses and disclosures of PHI for healthcare operations purposes must be limited to the minimum necessary to accomplish the intended purpose. Further, while a provider can use the PHI to identify and contact its own former COVID-19 patients, generally the provider cannot disclose PHI to a third party without the individual’s authorization for the third party to make marketing communications about the third party’s products or services (unless the third party is making the communication on behalf of the covered entity, for example, as a business associate). For example, a hospital cannot disclose PHI about individuals who have recovered from COVID-19 to a blood and plasma donation center, so that the donation center can contact the patients to request blood and plasma donations for its own purposes. A link to the June Guidance is available here.
PHE Declaration Extension
The nationwide public health emergency (PHE) declared by the Secretary of Health and Human Services related to COVID-19 on January 31, 2020 was renewed effective July 25, 2020. A PHE declaration lasts until the Secretary declares that the PHE no longer exists or upon the expiration of the 90-day period beginning on the date the Secretary declared a PHE exists, whichever occurs first. The Secretary may extend the PHE declaration for subsequent 90-day periods for as long as the PHE continues to exist, and may terminate the declaration whenever he determines that the PHE has ceased to exist. Because many of the current waivers of regulatory requirements (including the CMS blanket waivers available here) will end upon the end of the emergency declaration, providers should begin planning now for the possible future termination or expiration of the PHE. Specifically, providers should review current arrangements that use or rely on waivers, and begin planning for how to unwind them.
Notice of Reporting Requirements for Provider Relief Fund Recipients
On July 20, 2020, the U.S. Department of Health and Human Services (HHS) issued a notice informing Provider Relief Fund (PRF) recipients that detailed reporting instructions will be released on August 17, 2020. Healthcare providers that used any part of a PRF payment funded through the Coronavirus Aid, Relief, and Economic Security (CARES) Act and the Paycheck Protection Program and Health Care Enhancement Act agreed to a set of Terms and Conditions which required, among various obligations, recipients to submit reports to HHS. The reporting system will become available on October 1, 2020 and all recipients must report within 45 days of the end of the calendar year 2020 on their expenditures through the period ending December 31, 2020. For more information, see the Notice here.
Health Privacy Rule 42 CFR Part 2 is Revised
In July 2020, the Substance Abuse and Mental Health Services Administration (SAMHSA) announced the adoption of the revised Confidentiality of Substance Use Disorder Patient Records regulation, 42 CFR Part 2. A chart summarizing the revised rule’s modifications to Part 2 can be found here. The revised rule serves to further facilitate better coordination of care, while maintaining important confidentiality protections against unauthorized disclosure and use.
DOJ Updated Compliance Guidance
In June 2020, the Department of Justice updated its guidance regarding evaluation of corporate compliance programs. The updated guidance can be found here. Healthcare providers should review and assess their own compliance programs based on the updated guidance.
OCR Resolves Religious Freedom Complaints During COVID-19
In July 2020, OCR resolved two religious freedom complaints related to COVID-19. The first involved a hospital’s denial of an individual’s request to allow a priest to visit her critically ill husband. According to the complaint, the priest was turned away by the hospital despite being willing to wear any necessary personal protective equipment due to a visitor exclusion policy the hospital had adopted in response to the COVID-19 pandemic. Acting in partnership with CMS, OCR provided technical assistance to the hospital, based on CMS guidance that provides that “facilities must ensure patients have adequate and lawful access to chaplains or clergy.” The complaint was resolved after the hospital allowed the patient to freely exercise his religion by permitting him to receive a visit from a priest, and updated its visitation policy so that (1) patients in COVID-19 positive units or sections can practice their religion with clergy visitations in compassionate care situations including end-of-life; (2) patients in non-COVID units can freely exercise their religion by receiving clergy visitation at any reasonable time, as long as the visit does not disrupt clinical care; and (3) visiting clergy must follow hospital safety policies, including screening for COVID-19 infection, such as temperature checks, and must be willing to sign a written waiver.
The second complaint involved a hospital’s requirement for medical students to fit-test and wear N95 respirator masks while serving patients and for the medical student at issue to shave his beard. The student advised the hospital of his inability to shave his beard because of his religious beliefs. The complaint was resolved after OCR communicated with the student and provided technical assistance to the hospital, and the hospital granted the student’s accommodation request and provided an alternative form of PPE called a Powered Air Purifying Respirator (PAPR) which provides greater protection than an N95 mask and would allow for a facial beard.