Patient Protection and Affordable Care Act Declared Unconstitutional

In a brief 78 page Opinion, Federal District Court Judge Roger Vinson of the U.S. District Court of the Northern District of Florida struck down portions of the the Patient Protection and Affordable Care Act on constitutional grounds.  The impact of that decision on PPACA initiatives in Florida, such as Accountable Care Organizations, remains to be seen, althought the DOJ has expressed its intent to appeal the ruling. In addition, Deputy Senior Advisor Stephanie Cutter responded:

We don't believe this kind of judicial activism will be upheld and we are confident that the Affordable Care Act will ultimately be declared constitutional by the courts.

She characterized the ruling as "well out of the mainstream of judicial opinion," noting that 12 federal judges have dismissed challenges to the law's constitutionality and two--in Michigan and Virginia--have upheld the law.

Are Cloud-based HIEs Subject to Twitter-Google-Facebook-like Subpoenas?

In a recent New York Times article, Google, Twitter and other internet companies raise concerns regarding the wave of requests they receive for customer data from law enforcement agencies. Last year, Google counted more than 4,200 such requests in the first half of 2010.  Other internet and telecommunications companies, like Twitter and Facebook, are also feeling inundated with such requests for information. The NYT articles reports that Verizon told Congress in 2007 that it received some 90,000 such requests each year, and Facebook told Newsweek in 2009 that subpoenas and other orders were arriving at the company at a rate of 10 to 20 a day. 

These companies and others are saying that the main law governing communication privacy — the Electronic Communications Privacy Act of 1986 (ECPA) -- is outdated, and affords more protection to letters in a file cabinet than personal information maintained on a server. The current ECPA does not explicitly afford protections for the vast majority of private content stored on the Internet, allowing law enforcement agencies to obtain a person’s online data with a simple subpoena from a prosecutor. This weak level of protection has created tension between privacy advocates and law enforcement agencies that consider internet data to be a valuable source of crucial information.  In fact, Google, along with other Internet companies such as Verizon, Facebook, and Twitter, have increasingly been targeted by law enfo­rcement for personal data information.

Unlike Twitter, whose policy is to notify users before releasing personal information, most Internet companies are not required to provide users with any notice, and law enforcement officials can even demand that requests be sealed from targets of investigation. Since there are no straightforward standards in the ECPA governing Internet information, courts in different jurisdictions have interpreted them differently and created a piecemeal collection of rules. Under the ECPA, emails can be accessed by the government without a warrant under certain storage conditions or after a certain amount of time has passed.

According to the Center for Democracy and Technology’s (CDT) Digital Due Process coalition, the current rules are inadequate and do not meet the Fourth Amendment’s due process clause. In December 2010, two federal appeals court decisions supported CDT’s stance, ruling that the ECPA standards for government surveillance have not kept up with technological progress and do not meet Constitutional standards. Over the past year, the CDT, along with privacy advocates, legal scholars, and major telecommunications service providers, have developed a set of standards under which they believe the ECPA should be updated. The ACLU has also created proposals designed to simplify, clarify, and strengthen the ECPA:

  1. Robustly Protect All Personal Electronic Information. Current loopholes in our privacy laws need to be closed to protect electronic information without regard to its age, whether it is "content" or "transactional" in nature, or whether an online service provider has access to it to deliver services.
  2. Safeguard Location Information. The law should require government officials to obtain a warrant based on probable cause before allowing access to location information transmitted through cell phones, which 82% of Americans own.
  3. Institute Appropriate Oversight and Reporting Requirements. To ensure adequate oversight by Congress and adequate transparency to the public, existing reporting requirements for wiretap orders must be extended to all types of law enforcement surveillance requests.
  4. Require a Suppression Remedy. If a law enforcement official obtains non-electronic information illegally, that information usually can’t be used in a court of law. The same rule, however, doesn’t apply to illegally-obtained electronic information. Such a rule only encourages government overreaching and must be changed to require a judge to bar the use of such unlawfully obtained information in court proceedings.
  5. Craft Reasonable Exceptions. Currently ECPA sometimes allows access to the content of communications without a true emergency, without informed consent and without prompt notice to the subject. ECPA must be amended on each of these fronts if electronic records are to receive the protections Americans need.

For now, it is up to Congress to decide whether to not to adopt these proposed updates and negotiate the critical balance between the protection of personal expectation of privacy and the government’s need to protect the public.  However, for RHIOs, HIOs, and software vendors offering PHR and HIE solutions via the internet, the impact of the ECPA should be evaluated as well, particularly with respect to whether data maintained in internet-based HIE repositories may be subject to disclosure pursuant to this federal law.

Prepared with assistance from Melody Hsiou, MPH Columbia University, J.D. expected from Seton Hall Unversity 2013.

HHS Announces New Funding to Help States Implement Affordable Care Act

Posted today on HHS' Website:

Today, Health and Human Services (HHS) Secretary Kathleen Sebelius announced a new funding opportunity for grants to help states continue their work to implement a key provision of the Affordable Care Act – Health Insurance Exchanges.

When the Affordable Care Act is fully implemented in 2014, Health Insurance Exchanges will provide individuals and small businesses with a “one-stop shop” to find and compare affordable, high-quality health insurance options.

[']States are moving forward, implementing the Affordable Care Act and making reform a reality,['] said Sebelius. [']These grants will help ensure states have the resources they need to establish exchanges and ensure Americans are no longer on their own when shopping for insurance.[']

Health Insurance Exchanges will bring new transparency to the market so that consumers will be able to compare plans based on price and quality and will offer all Americans the same insurance choices members of Congress will have. By increasing competition among insurance companies and allowing individuals and small businesses to band together to purchase insurance, Exchanges will also lower costs.

The Exchange establishment grants announced today recognize that states are making progress toward establishing Exchanges but doing so at different paces. States that are moving ahead on a faster pace can apply for multi-year funding. States that are making progress in establishing their Exchange through a step-by-step approach can apply for funding for each project year. Moving forward, states will have multiple opportunities to apply for funding as they progress through Exchange establishment. This process gives states maximum flexibility and ensures that states can move forward on their own timetables as they work to build an Exchange.

States can use the Exchange establishment grants for a number of different activities including conducting background research, consulting with stakeholders, making legislative and regulatory changes, governing the exchange, establishing information technology systems, conducting financial management and performing oversight and ensuring program integrity.

States are already taking their first steps toward 2014 when Health Insurance Exchanges will be operational. For example, California signed first-in-the-nation legislation to implement a Health Insurance Exchange under the Affordable Care Act on September 30, 2010. Maryland’s Health Reform Coordinating Council has already carried out research to understand the state’s health insurance marketplace and health expenditures, as well as how to make health care costs and quality more transparent. Colorado is holding regular community forums on issues around developing an Exchange, as well as conducting extensive research and economic analyses on the state’s health insurance market.

Many of those activities have been funded by the $49 million in Exchange planning grants awarded by HHS in July of 2010. States applied to use those grants for a number of important planning activities including research to understand their insurance markets, efforts to obtain the legislative authority to create Exchanges, and steps to establishing the governing structures of Exchanges.

The Exchange establishment funding announcement can be found at by searching for CFDA number 93.525. More information can be found at

ACO Pilots for New Jersey -- Will they "fly"?

The New Jersey Health Care Quality Institute (NJHCQI) brought together several distinguished experts to discuss the development of and implications for the new accountable care organization (ACO) models and rules being established on a federal and state level for Medicare and Medicaid. The focus of the seminar was on exploring what ACOs were (and what they were not), as well as the anticipated CMS rule and pending New Jersey legislation for a Medicaid ACO demonstration project. Speakers included, among others, David Knowlton, President and CEO of the NJHCQI, Jonathan Blum, Deputy Administrator and Director for the Center of Medicare, CMS, and Dr. Jeffrey Brenner, founder of the Camden Coalition of Healthcare Providers.

The keynote speaker, Jonathan Blum, discussed CMS’ views for the forthcoming CMS Rule on ACO participation in the Shared Savings Program established by the Patient Protection and Affordable Care Act (PPACA). Anticipated by mid-January, Blum noted that the focus would be on both quality and cost-control, not just solely for participants for the Medicare program, but for the broader scheme of health care delivery systems and all other payors on a state and private level. Mr. Blum provided ten central principles that the anticipated Notice of Proposed Rulemaking would center around:

  • ACOs are not one-size fits all and therefore the Rule will need to respond to and attract large integrated hospital systems, small and medium sized physician groups, and hospital-physician groups. Mr. Blum acknowledged that this could require different payment models and “entry ramps” that would create multiple pathways suitable for different types of organization as well as populations (eg., urban or rural).
  • ACOs must change patient care. The ACO structure must move away from uncoordinated and fragmented care and move towards coordinated, patient-centered “journeys.”
  • ACOs must prioritize clinical quality and standards. The Rule will strive to ensure that delivery systems reward outcomes and processes, as well as focus on improving patient experiences and responding to patient expectations. Mr. Blum noted that the Rule will almost certainly establish quality measures that ACOs will need to meet.
  • ACOS are about constant improvement and evolution. Although the Rule will certainly set benchmarks and standards, CMS is aware that there will need to be a constantly evolving process, with updated payment rules and policies each year, as well as policies that incentivize (not dictate) organizations to invest in health information technology and other vital improvements.
  • ACOs must include data-exchange solutions for understanding patient histories and identifying high-risk patients. Mr. Blum noted that CMS is very much aware of the culture of privacy and confidentiality that this conflicts with at the same time as understand the need for information to be shared with doctors and CMS.
  • ACOs must involve communication to patients. Patient advocacy and notice of participation is key. Patient-beneficiaries will be notified when being assigned to an ACO, and Mr. Blum highlighted how notice helps patients understand the incentives their physicians have in participating in ACOs but at the same time understanding also the benefits their participation in an ACO will result in.
  • ACOs are NOT just about signing up and taking a gamble that it will work, or attempting to maintain the “status quo.” Mr. Blum noted the Rule will take this in to account and create mechanisms to ensure that organizations seeking to participate share the same values that CMS does towards improving quality and controlling costs.
  • ACOs are NOT about dominating markets. Mr. Blum underscored how CMS was well aware of the antitrust implications of ACOs and gave assurances that CMS was working with the DOJ and OIG to ensure the Rule would be compliant and not create anticompetitive concerns.
  • ACOs are NOT about changing the nature of the underlying Medicare fee-for-service structure. Mr. Blum emphasized that the Rule will not take away rights for beneficiaries to receive care from different hospitals or physicians.
  • ACOS are NOT static. They must be constantly evolving, creating new models and striving to meet the concerns of organizations and patients as they emerge.

Questions asked of Mr. Blum by attendees revolving around how exactly the proposed Rule would address anticompetitive concerns for multi-hospital concerns, what the ACO model would look like (physician-led, hospital-led?) and how the Rule would address the conflict of patient-choice and a cohesive coordinated system of care. Mr. Blum, although unable to provide specifics, noted that the Rule would try to capture multi-system patients in one-system of care while balancing market concerns and competiton, avoinding monopoly creating incentives. He also acknowledged that PPACA was somewhat inconsistent in striving to maintain patient choice but yet seeking a coordinated system of care, and that the Rule would seek to establish incentives for patients to stay with providers in an ACO, noting that “creation of demand for quality of care” was a key for success. He also focused on the role of physicians in ACOs as a key success and although not embracing any one ACO model, stated CMS would try to make participation attractive to all types of leadership roles. Finally, Mr. Blum emphasized again how important it was for ACO organizations not only to “work for CMS” but to work for other payors, including Medicaid.

Jeffrey Brenner focused on the establishment of Medicaid ACOs in NJ, highlighting the problems in the past of increasing volume without increasing quality of care for patients. The goal of ACOs, he emphasized, was to move away from volume, and instead towards increasing quality and lowering costs. The legislation introduced into NJ would be that aimed towards “safety-net” ACOs with a focus towards better primary care that was community-based, not hospital-based. The board would be composed of providers, hospitals, social service providers AND patients within the organizations chosen geographic area. He then focused on why ACOs are necessary, emphasizing that the nation as a whole, including NJ, was going broke, and how NJ in particular was an outlier in hospitalization and care. He highlighted that cost-shifting methods and remote care management simply did not work to reduce costs, and that hospitals needed assistance transitioning, or face mass closings, in response to the shift in volume expected from ACOs. Finally Mr. Brenner re-emphasized that the NJ Medicaid ACO model will seek to develop mechanisms for delivering ground-up, high quality care.

Representatives from the business community stressed that quality and access to care was critical to businesses and that the NJ ACO legislation had the full backing of the Chamber of Commerce and business community. Mr. Wilson, from the Kaufman Zita Group, noted that the goal was to have the legislation passed, in full, by March, and that as many problems and concerns of stakeholders would be addressed as possible.

The general concern among attendees appeared to revolve around ensuring that all social service providers and community representatives were included within the ACO structure, as well as general antitrust and anticompetitive concerns. Of particular concern to some was the transition process and the difficulties hospitals would face in light of the new legislation and Mr. Brenner acknowledged that while the transition would likely be “messy”, hospital closings, where necessary, would need to be done methodologically and carefully and noted that the legislation would help at-risk hospitals learn the skills they need to reinvent themselves in the wake of the ACO movement. And finally, some expressed concern that the NJ Medicaid ACOs would not be able to “stand on their own” if PPACA were repealed at the federal level. Panelists stressed that the NJ legislation was entirely independent of PPACA. Because the ACO model predated the Act, they felt that it would continue even if the remote possibility of PPACA’s repeal came true.

JAMA recently published an article noting that:

Proponents hope that ACOs will allow physicians, hospitals, and other clinicians and health care organizations to work moreeffectively together to both improve quality and slow spending growth. Skeptics are concerned that ACOs will focus narrowly on their bottom line and either stint on needed care or use the leverage they achieve through local integration to demand unreasonable prices from payers…. It is likely that the success of ACOs (and the many other payment-reform initiatives included in the Affordable Care Act) will depend in large part on whether the Centers for Medicare & Medicaid Services, private payers, physicians, and health system leaders can work together to establish a tightly linked performance measurement and evaluation framework that not only ensures accountability to patients and payers, but also supports rapid learning, timely correction of policy and organizational missteps, and broad dissemination of successful organizational and practice innovations." (emphasis added).  

For additional information about the PPACA the AMA has a good summary posted that is worth checking out.  To receive a copy of our health law bulletin discussing antitrust and other legal issues for ACOs, including privacy laws that continue to affect how health information exchange among providers may occurr, even in the ACO context, submit your request to

This post was prepared with assistance from Krystyna Nowik, Esq.

Think you are Exempt from the Red Flags Rule? ... Don't Take Your Red Flags Down So Fast.

Prepared by Krystyna Nowik, Esq.

Health care providers and the Identity Theft Red Flags and Address Discrepancies Final Rule (“Red Flags Rule”) have had a drawn-out and bumpy history together. Considerable uncertainty with regard to what entities were or should be considered creditors within the meaning of the Red Flags Rule resulted in multiple delays in the effective date and several legal challenges to the Red Flags Rule (e.g., the American Bar Association (ABA) and its applicability to attorneys and the American Medical Association (AMA) and its applicability to physicians).

On December 18, 2010, the Red Flag Program Clarification Act was passed for the sole purpose of narrowing the definition of creditor and providing some clarification as to what entities would be subject to the Red Flags Rule. The Red Flag Program Clarification Act does not explicitly exclude physicians, hospitals or other types of professionals or entities who had challenged the Red Flags Rule applicability. However, it revises the definition of creditor to mean:

(1) a creditor as defined by section 702 of the ECOA (e.g., any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew or continue credit) that regularly and in the ordinary course of business:

a. obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction;

b. furnishes information to consumer reporting agencies, as described in section 623, in connection with a credit transaction; OR

c. advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person;

(2) that does not include a creditor that advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person; AND

(3) includes any other type of creditor…as the agency…may determine appropriate…based on a determination that such creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.

Under this new definition, attorneys and other entities will not be considered a creditor for purposes of the Red Flags Rule. Additionally, many physicians and hospitals may not be subject to the Red Flags Rule. However, the exemption does NOT necessarily let all health care providers off the hook.

Entities will still need to look at whether they "regularly and in the ordinary course of business" obtain or use consumer reports or furnish information to consumer reporting agencies as well as whether they are advancing funds that will need to be repaid by the person. This potentially means that hospitals or physician groups that routinely submit information on non-paying patients to collection agencies which in turn submit such information to a credit reporting agency WILL be subject to the Red Flag Rules.

In addition, further guidance is likely to be issued by the FTC regarding the applicability of the new creditor definition and other types of creditors with regard to “reasonably foreseeable risk”. Additionally, no guidance is provided by the Red Flag Program Clarification Act as to what “regularly and in the ordinary course of business” means. However, although the American Hospital Association believes hospitals are clearly exempt from the Red Flags Rule by the new definition, hospitals who engage in billing and collection practices should be prepared to comply as of January 1, 2011 in the event such activities would qualify the hospital as a “creditor” or in the event the FTC through rulemaking expressly covers hospitals under the “reasonably foreseeable risk” of identity theft provision.

In the end, the underlying reason for implementing an identity theft program, such as the one required under the Red Flags Rule, is to help prevent potential harm to the victim.  When dealing with medical identity theft, the stakes can be much more than just financial loss -- it can potentially cost a person their health, or life.  Where multiple providers are connected through and HIO and engaging in HIE, the risks and harm resulting from identity theft may be multiplied.  Therefore, irrespective of whether a provider is or is not directly subject to the FTC assessing penalties for noncompliance, implementing a Identity Theft Prevention Program is a good idea from the standpoint of risk management, and patient care.

For a great video on Medical Identity Theft, watch this news report from CBS3.  For more information about the Red Flags Rule, click "Continue Reading" below.

Continue Reading