OIG Issues New Advisory Opinion on May 7, 2018

The Office of Inspector General (“OIG”) approved a proposed arrangement involving medical devices/supplies. OIG Advisory Opinion No. 18-02 concerns an arrangement where a company that manufactures, distributes, and sells medical device and pharmaceutical products provides a limited number of free sample ostomy products to patients and contracts with a third party to conduct follow-up customer satisfaction surveys. The OIG concluded that the Proposed Arrangement presents a low risk of fraud and abuse under the anti-kickback statute, and it would not impose administrative sanctions on Requestor under the anti-kickback statute. The Advisory Opinion is located here.

OIG Finds Cahaba Government Benefits Administrators, LLC Understated Medicare Administrative Contract Allowable Pension Costs

Cahaba Government Benefits Administrators, LLC, did not claim $2.7 million of allowable Medicare pension costs on its incurred cost proposals for calendar years 2008 through 2013. The report brief is located here.

OIG Report Indicates CMS Paid Practitioners for Telehealth Services That Did Not Meet Medicare Requirements

The Office of Audit Service conducted an audit of CMS claims for telehealth services. Its objective was to determine whether the CMS paid practitioners for telehealth services that met Medicare requirements. The Office of Audit Services analyzed 2014 and 2015 (the audit period) telehealth claims and found that more than half of the professional telehealth claims paid by Medicare did not have matching originating-site facility fee claims. It estimates that Medicare could have saved approximately $3.7 million during the audit period if practitioners had provided telehealth services in accordance with Medicare requirements. The report is located here.

The State of Alabama Passes a New Data Breach Notification Law

On March 28, 2018, Alabama became the final state in the U.S. to enact a data breach notification law. The Alabama Data Breach Notification Act of 2018 (S.B. 318) (“the Law”) goes into effect on June 1, 2018. Some of the key provisions include:

The Law applies to “covered entities” and their “third-party agents.”

A “covered entity” is defined as “a person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association or other business entity that acquires or uses sensitive personally identifying information.”

A “third-party agent” is defined as “an entity that has been contracted to maintain, store, process, or is otherwise permitted to access sensitive personally identifying information in connection with providing services to a covered entity.”

In addition to typical personal identifying information, the Law’s definition of “sensitive personally identifying information” includes health information (i.e., an individual’s medical condition and history, and health insurance identification numbers), as well as username or email address in combination with a password or security question and answer that would permit access to an online account likely to contain sensitive personally identifying information.

The Law applies to unencrypted computerized data or encrypted computerized data when the encryption key or code is also compromised.

Notification is not required if, after a prompt investigation in good faith, it is determined that the breach of security is not reasonably likely to cause substantial harm to the individuals to whom the information relates.

Written notice must be made to affected individuals (and to the Alabama Office of the Attorney General if over 1,000 Alabama residents are notified) within 45 calendar days of a determination that the breach of security is reasonably likely to cause substantial harm to affected individuals. Notice to all consumer reporting agencies is also required “without unreasonable delay” if over 1,000 Alabama residents are notified.

Third-party agents are required to notify the covered entity within 10 days of discovery of a breach of security.

ABME Issues Reminder of New CME Requirement For ACSC Holders

According to the Alabama Board of Medical Examiners (ABME) beginning with calendar years 2017- 2019, ACSC holders are required to earn or obtain two AMA PRA Category 1 Credits™ every two years in the areas of controlled substance prescribing practices, recognizing signs of abuse or misuse of controlled substances, or controlled substance prescribing for chronic pain management. Along with the reminder, the ABME also issued some corresponding frequently asked questions. A link to the ABME’s newsletter is located here.

The Alabama Board of Pharmacy Issued a Notice of Proposed Rulemaking

The new rule relates to the requirements of compounding and if adopted will be Alabama Administrative Code 680-X-2-.43. The substance of the proposed new rule is to reinforce that all pharmacies and pharmacists that engage in compounding of drugs must comply with all applicable requirements of the United States Pharmacopeia – New Formulary USP-NF. Oppositions can be directed to Wendy Passmore with the ABME from May 1, 2018 until June 5, 2018. The final date to present views is June 20, 2018. The proposed rule can be found here.