As most of you are aware, all 2019 HIPAA security breaches affecting less than 500 individuals must be reported by covered entities (e.g., providers and health plans) to the Federal Department of Health and Human Services, Office of Civil Rights (“OCR”) prior to February 28, 2020.   If you have not already submitted this information, you may do so by clicking on this link and following the instructions to make the electronic report:  https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true

Twist from the New York Attorney General

This year, in New York, the annual HIPAA breach notification requirement comes with a twist.  New York covered entities must now also report all HIPAA breaches to the New York Attorney General within five (5) days of making the report to the OCR.   Reports can be made using the on-line form found at this link:  https://formsnym.ag.ny.gov/OAGOnlineSubmissionForm/faces/OAGSBHome

            *           *           *           *           *

If you have any questions regarding this Alert, please contact the Garfunkel Wild attorney with whom you regularly work.

Click Here to download the Legal Alert.

 

On January 21, 2020, Governor Phil Murphy signed bills A5916 and A5918 into law which are intended to increase the financial transparency of New Jersey hospitals and to ensure that such hospitals do not suddenly shut down, leaving residents without access to adequate health care in their respective communities as a result of a hospital’s financial distress.

A5916: The enactment of A5916 mandates the New Jersey Department of Health (“DOH“) to consider certain additional financial measures in determining whether a hospital is in financial distress, such as the hospital’s: (1) average daily census, (2) operating margin, and (3) operating margin adjusted to account for fees, allocation, and other business interactions with interested persons, as those terms are defined in Internal Revenue Service (“IRS“) Form 990[1]. If the Commissioner of the DOH determines that a hospital is in financial distress, then the Commissioner may provide notice of the hospital’s financial state to the relevant governmental authorities representing the hospital’s municipality.

A5918: The enactment of A5918 mandates that general hospitals will now be required to submit unaudited financial information and financial statements to the DOH on a quarterly basis. All tax-exempt hospitals will now be required to post the most recent copy of their IRS Form 990, Form 990 schedules, and supporting documentation on their website upon annual renewal of their license. Since a Form 990 is not applicable to for-profit entities, for-profit hospitals will instead be required to annually post on their websites all existing governance, financial, and operating information which otherwise would have been required to be submitted in the schedules and supporting documentation for a Form 990.

Further, hospitals will now have to provide the DOH with information regarding certain transactions. Specifically, the DOH must be provided with prior notice of a hospital’s intent to enter into an agreement for the sale or lease of the land or the property on which the hospital is located, along with a copy of the agreement, the names of all parties involved, and the intended use of proceeds from the sale or lease of the land or property. Finally, if a hospital is owned or managed by a for-profit entity, or a for-profit entity has a majority ownership in a hospital, such hospital will be now required to provide the DOH with the following information:

  1. A report of each business transaction in the fiscal year with an interested person which exceeds $10,000;
  2. A chart identifying all organizations related to the hospital, including the full name, location, and tax-exempt status of each;
  3. Whether the owners or managers of the hospital maintain one or more offices, employees, or agents outside of the United States that do business with the hospital;
  4. Any revenues and expenses of more than $10,000 transacted outside the United States;
  5. A list of investors and joint ventures between the hospital owners and its investors, including the name of the joint venture entity, its tax-exempt status, a description of its primary activity, and percentage of profit or ownership held by each of the officers, directors, physicians, and key employees of the hospital in the joint venture;
  6. The name and address of any management company paid to provide services to the hospital, a description of the primary activity of the management company, and the percent of profit or ownership held by each of the officers, directors, physicians, and key employees of the hospital in the management company;
  7. The amounts paid to any affiliates for management or consulting services;
  8. A description of any trust that holds an interest in the hospital, including the name of any trustees, beneficial owners, grantors, or settlor of the trust, along with a copy of the full trust agreement;
  9. A list of any properties for which the hospital has claimed a tax abatement; and
  10. Total amount of any surplus revenue used for debt retirement, plant or facility expansion, or a reserve for operating contingencies.

The above information provided to the DOH will be required to be posted on a hospital’s website, with the exception of any information deemed proprietary by the Commissioner.

_______________________

[1] Interested persons shall have the same definition as in IRS Form 990 except that “interested persons” shall also include the owners of any for-profit hospital.

            *           *           *           *           *

Should you have any questions regarding this Alert, please contact the Garfunkel Wild attorney with whom you regularly work.

Click Here to download the Legal Alert.

 

The New York State Education Department (“SED”) has implemented a major procedural change, requiring that new professional practice entities submit an affidavit to SED when applying for Certificates of Authority to operate in New York State (whether in connection with original formation or foreign qualification to do business in New York). SED’s new process also requires that an affidavit be submitted for professional practice entity name changes.

The affidavit requires that a licensed professional who is either an owner or an authorized shareholder attest to whether the professional practice entity has any “relationship, ownership interest, affiliation or association with any other business and/or professional practice entity.” If there is such a connection, the licensed professional must name the affiliated/associated entity, state the nature of relationship, and attest that the relationship is fully compliant with all applicable rules and regulations of the New York Education Law and Business Corporation Law.

As of this time, SED has not provided any instructions for completing the affidavit or any guidance on how a professional practice entity determines whether a relationship that requires disclosure exists. Likewise, SED has not provided information on whether there will be a consequence for completing an affidavit in a manner that it deems incorrect. Although SED has not indicated how the affidavits will be used, the new requirement suggests that they may be used to identify and review relationships among entities and evaluate whether they are compliant with applicable law.

SED has advised that any request for a Certificate of Authority or name change submitted to SED without the affidavit will be rejected and will require the applicant to begin the submission process anew.  SED will not allow applicants to supplement their filings with a completed affidavit.

We are in dialogue with SED about issues concerning this procedural change and the significance of the same.

Click Here to download the Legal Alert.

* * * * *

If you have any questions about this alert, please contact the Garfunkel Wild attorney with whom you regularly work.

 

Challenged by Nursing Homes

On October 9, 2019, New York State Department of Health (DOH) announced that it will be implementing a new methodology for adjusting nursing home Medicaid reimbursement rates, commonly referred to as the “case mix adjustment.” The revised methodology will apply retroactively to July 1, 2019. Under DOH’s revised methodology, adjustments will continue to be made in January and July of each calendar year based on the (Medicaid–only) case mix data for the previous case mix period.  However, the calculation for the initial adjustment will be made using the case mix data submitted by nursing homes to Centers for Medicare & Medicaid Services (CMS) for the August 2018 – March 2019 period. All future case mix adjustments (i.e., post July 2019) will be made based on the case mix data submitted to CMS for the previous six month period (e.g., April – September for the January case mix adjustment; October – March for the July case mix adjustment). This represents a departure from DOH’s previous practice which relied on data for two specific days each year (January 25 and July 25), to calculate the adjustment.  This change in methodology is expected to provide the State with savings of approximately $350 million in the upcoming budget year.

In response to the announced change, a coalition of nursing home provider associations has filed a lawsuit on behalf of over 100 nursing homes.  The lawsuit seeks both preliminary and permanent injunctions enjoining DOH from implementing the new case mix adjustment methodology.  The lawsuit claims, among other things, that the change poses an immediate threat to nursing home residents and employee staffing levels and impermissibly bypasses CMS’s prior approval process.  A ruling has not yet been issued on the request for a preliminary injunction.

Click Here to download the Legal Alert.

* * * * *

If you have any questions about this alert, please contact the Garfunkel Wild attorney with whom you regularly work.

 

The New York SHIELD Act has gone into effect today (October 23, 2019) and entities that maintain electronic information regarding New York residents will need to ensure compliance. At the very least, for entities that have HIPAA compliance programs, this will mean that each entity’s HIPAA breach policy will need to be updated and the revised policy implemented.  For entities that do not have HIPAA compliance programs this may also mean that administrative, technical and physical safeguards need to be developed.  In addition, for all entities, there are a number of new reporting considerations when there is an intrusion (e.g., a hack, ransomware, phishing attack) or unauthorized access into an entity’s electronic systems.

Click Here to download the Legal Alert.

* * * * *

If you need any assistance in implementing the requirements of the SHIELD Act, please contact the Garfunkel Wild attorney with whom you regularly work.