AHA Lawsuits Challenge Two-Midnight Rule, 0.2 Percent Cut, Other IPPS Changes

The American Hospital Association (AHA), together with several hospitals and hospital organizations, has filed two lawsuits in the United States District Court for the District of Columbia asking that four components of the August 19, 2013, Inpatient Prospective Payment System (IPPS) Final rule be declared invalid. One complaint challenges: (1) the two-midnight rule; (2) the requirement that claims for outpatient services filed after the denial of a claim for inpatient services be submitted within one year of the date that services ended; and (3) the requirement that a physician order use the words “inpatient services” as a condition of payment for a stay. The second complaint claims that the 0.2 percent cut in the rate for inpatient services is invalid.

Co-Plaintiffs

The AHA is joined in both lawsuits by Banner Health, based in Phoenix, Arizona; Mt. Sinai Medical Center in New York City; Einstein Healthcare Network in Philadelphia, Pennsylvania, Wake Forest Baptist Medical Center in Winston-Salem, North Carolina, and hospital organizations in New York, New Jersey, and Pennsylvania. Each of the hospitals claims to have lost thousands of dollars as a result of the 0.2 percent rate cut and even larger sums due to the two-midnight rule.

The Rate Reduction

The complaint alleges that the reduction is invalid for several reasons. First, CMS did not include the reduction in an actual regulation, but only described it in the preamble to the Final rule. Second, the factual premises on which the rule was based are based on assumptions that are demonstrably wrong. Allegedly, CMS stated that it expected that the two-midnight rule, if applied to the fiscal year (FY) 2011 discharges, would result in 400,000 cases switching from outpatient to inpatient and 360,000 from inpatient to outpatient. But the Final rule stated that CMS considered only surgical discharges, excluding diagnosis related groups (DRGs) involving medical services only. The AHA notes that length of stay is easier to predict in surgical cases, and the exclusion of medical discharges distorts CMS’ analysis. Third, the Proposed rule did not describe the changes in policy with enough clarity or specificity to allow effective notice and comment.

The Two-Midnight Rule

The AHA and its co-plaintiffs contend that the two-midnight rule departs abruptly from long-standing policy defining inpatient services and describing the physicians’ role in determining whether a patient should be admitted. Under the prior policy, the AHA alleges, a physician could admit a patient if his or her condition and the anticipated services were likely to result in a stay of at least 24 hours. If a stay must cross two midnights to qualify for inpatient status, a patient admitted early in the morning might not qualify as an inpatient until nearly 48 hours had passed. The complaint alleges that the rule replaces the many medical factors the physician might consider with a single requirement based on time, so that even services provided in an intensive care unit might not qualify for inpatient reimbursement.

One-Year Limit

The AHA contends that the post-discharge review and denial of payment for inpatient services by recovery audit contractors (RACs), combined with the requirement that claims for outpatient services be submitted within one year of service deprives hospitals of the outpatient reimbursement because RAC reviews generally do not even begin until one year after services were furnished. The complaint notes that the agency has exercised its authority to make exceptions to the one-year deadline in other situations but refuses to do so here and that it could simply direct its administrative contractors to reprocess the rejected inpatient claims as outpatient services.

Finally, the hospitals claim that the physician order requirement is inconsistent with Soc. Sec. Act sec. 1814(a)(3) because the statute requires certification for hospital services to be provided over an extended period, not for all inpatient services.

Software Vulnerability Endangers EHR, Devices; HHS Websites Unaffected

The “Heartbleed” bug, discovered last week by two information technology (IT) security teams, caused a vulnerability in a popular encryption software used by many medical professionals to protect patient data. Electronic health record (EHR) systems often use OpenSSL’s encryption software to secure protected health information (PHI). Heartbleed can reveal the contents of a server’s memory to hackers, including private data such as usernames, passwords, and credit card numbers. Attackers are also able to obtain copies of a server’s digital keys, and use those keys to impersonate servers or to decrypt communications. Security experts estimate that 66 percent of all devices connected to the internet, including internet-capable medical devices, could be attacked using Heartbleed.

Heartbleed Danger

According to members of the security team that discovered Heartbleed, the bug allows anyone on the internet to access and read the memory of systems protected by the vulnerable versions of the OpenSSL software. Affected information includes secret keys used to identify service providers and to encrypt data, as well as user names, passwords, and actual saved content, allowing attackers to steal data directly from the services and users and to impersonate services and users. A fixed version of OpenSSL has been released, but the vendors of operating systems, appliances, and independent software all must adopt the fix for each program that uses OpenSSL. Further, users and administrators should change their passwords to prevent use of their accounts by anyone who has accessed their private account information. Passwords changed before the fixed version is installed are not secure.

The security team that discovered Heartbleed said, “We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.”

Impact on Health Industry

OpenSSL is an open source protocol. Open source means users are universally granted free license to the product, which is not copyrighted. As a result, many health IT-related programs and devices use the protocol, including those that use Apache servers. A “cursory review” conducted by health IT developer Lauren Still found many web-based EHR platforms were vulnerable to the bug. Additionally, some Health Insurance Exchanges operated by states under the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) were exposed. Medical Device and Diagnostic Industry says that the bug could be used to attack systems used to communicate with insulin pumps, home health care networks, and medical devices such as MRI machines.

Safety of HealthCare.gov, MyMedicare.gov

When the discovery of Heartbleed was announced, the Department of Homeland Security’s (DHS) U.S.-Computer Emergency Readiness Team (US-CERT) issued an immediate alert. Other DHS teams have reached out to vendors and asset owners to notify and assist them in determining vulnerabilities and protecting their data. DHS announced that “the Federal government’s core citizen-facing websites are not exposed to risks from this cybersecurity threat.” Building on DHS’s announcement, a CMS spokesperson stated “Due to CMS’s security protections, HealthCare.gov consumer accounts are not affected by this vulnerability. Additionally, other CMS consumer accounts, including MyMedicare.gov, were not affected by this vulnerability. Per standard practice, CMS continues to work with the states to monitor this issue and ensure that appropriate security measures continue to be in place.”

Developer and cryptography consultant Filippo Valsorda published a tool that allows users to check websites for Heartbleed vulnerability. For websites that require passwords, Last Pass created a similar checker tool. Wolters Kluwer tested a number of HHS websites, and confirmed that in addition to HealthCare.gov, Medicare.gov and the FDA’s online Drug Registration and Listing system were not vulnerable to Heartbleed; tests revealed that MyMedicare.gov and CMS’s EHR Incentive Program Registration & Attestation system may possibly be affected.

Study Questions Government’s $1.3 Billion Stockpiling of Tamiflu® and Relenza®

Researchers at the Cochrane Collaboration and BMJ (formerly British Medical Journal) are questioning the U.S. government’s spending of $1.3 billion on stockpiling antivirals such as Tamiflu® and Relenza®, noting that there is no credible evidence demonstrating the two neuraminidase inhibitors lower hospital admissions and complications of influenza. While clinical trials showed that influenza-like symptoms in Tamiflu and Relenza takers were alleviated a half-day sooner than patients who took a placebo, the antivirals actually increased occurrences of nausea, vomiting, headaches, psychiatric disturbances, and renal events. Researchers also found that there was insufficient evidence to demonstrate Tamiflu and Relenza prevent person-to-person spreading of influenza.

“We now have the most robust, comprehensive review on neuraminidase inhibitors that exists,” said BMJ Editor-in-Chief David Tovey. “Initially thought to reduce [hospitalizations] and serious complications from influenza, the review highlights that Tamiflu is not proven to do this, and it also seems to lead to harmful effects that were not fully reported in the original publications. This shows the importance of ensuring that trial data are transparent and accessible.”

According to Cochrane and BMJ, the evidence that was previously presented to government agencies regarding Tamiflu and Relenza, which subsequently led to the expensive stockpiling of the antivirals, was incomplete. However, the Review, “Neuraminidase inhibitors for preventing and treating influenza in healthy adults and children,” involved 20 Tamiflu and 26 Relenza trials, involving over 24,000 people. “Drug approval and use cannot be based on biased or missing information any longer,” stated review authors Dr. Tom Jefferson, Dr. Carl Heneghan, and Dr. Peter Doshi. “We risk too much in our population’s health and economy. This updated Cochrane review is the first time a Cochrane systematic review has been based only on clinical study reports and regulator’s comments. It is the first example of open science in medicine using full clinical study reports available without conditions. And therefore the conclusions are that much richer. We urge people not to trust in published trials alone or on comment from conflicted health decision makers, but to view the information for themselves.”

According to Cochrane, “the review clearly recommends that guidance on the use of both neuraminidase inhibitors (oseltamivir and zanamivir) in the prevention or treatment of influenza should be revised to take account of the evidence of small benefit and increased risk of harms.” In addition, given the lack of evidence that supports original claims of the antivirals’ benefits, the review raised questions on whether stockpiling of the drugs is still justifiable.

Kusserow’s Corner: Dental Fraud and Abuse

We don’t often hear news dental fraud and abuse cases. This is as result of more limited benefits provided by government programs. Occasionally, we are reminded that enforcement problems extend to this area. Recently, the HHS Office of Inspector General (OIG) has focused on this area. It noted that Medicaid is the primary source of dental for approximately 35 million children and that in recent years, a number of dentists and dental chains have been prosecuted for providing unnecessary dental procedures to Medicaid children, as well as for causing harm to children while performing these procedures.

The OIG conducted a review relating coverage for children in low-income families and provides access to dental care in New York and issued a report entitled “Questionable Billing for Medicaid Pediatric Dental Services in New York (OEI-02-12-00330).” It analyzed New York Medicaid program, specifically looking into the fee-for-service paid claims for general dentists and orthodontists who provided services to 50 or more children in 2012.

Using several measures, the OIG identified dental providers with questionable billing who are extreme outliers when compared to their peers. It identified 23 general dentists and six orthodontists in New York with questionable billing. Medicaid paid these providers $13.2 million for pediatric dental services in 2012 and received extremely high payments per child; provided an extremely large number of services per child; or provided certain selected services, such as pulpotomies or extractions, to an extremely high proportion of children. Additionally, almost a third of the general dentists were associated with a single dental chain that had settled lawsuits for providing services that were medically unnecessary or that failed to meet professionally recognized standards of care to children.

The OIG noted that its findings raise concerns that certain providers may be billing for services that are not medically necessary or were never provided. It also raises concerns about the quality of care provided to Medicaid children. Although some of the billing may be legitimate, providers who bill for extremely large amounts of services warrant further scrutiny. Based upon findings, the OIG recommended that the New York State Department of Health:

  1. Continue to monitor general dentists and orthodontists to identify patterns of questionable billing,
  2. Ensure that the State employs adequate safeguards to monitor general dentists and orthodontists under managed care, and
  3. Ensure appropriate follow-up on the general dentists and orthodontists identified as having questionable billing.

The New York State Department of Health neither agreed nor disagreed with the recommendations, but identified actions it has taken or plans to take that support the first recommendation. It also outlined current requirements and processes that are in place that support the second recommendation. It did not indicate whether any steps were planned to address the third recommendation.

Recent examples of dental fraud and abuse enforcement actions include the unlicensed owner of Indiana-based Anderson Dental Center, who was charged with Medicaid fraud, theft, money laundering, and forgery. Eight employees, including three dentists, are also facing various charges that include Medicaid fraud, money laundering, and forgery in connection with submitting fraudulent claims for un-provided dental services to the state Medicaid program and with falsifying documents.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Copyright © 2014 Strategic Management Services, LLC. Published with permission.