Spring-Summer 2010   

   In This Issue

Message from the Deputy General Counsel

 

I hope summer is going well, and not too fast. I know some who will remain unnamed are somewhere in the cool mountains of Colorado while the rest of us steam away. But, no, I will not complain (at least not much) and still would not trade these hot summers to return to those Michigan winters.

 

We are delighted with this issue to have our first articles by the newest members of the OGC team. As part of efforts to streamline System Administration, the Real Estate and Systemwide Compliance Offices are now part of OGC. With that we promptly imposed on the good graces of their directors and asked them to contribute to this newsletter, notwithstanding the fact that they do not officially join the office until September 1. Thus, you will find herein an article by Larry Plutko on CMS claim review programs and another by Florence Mayne on the Texas Constitution and below market leases.

 

Other offerings from OGC staff cover medical and medical billing records (Barbara Holthaus), peer-to-peer file sharing under the Higher Education Opportunity Act of 2008 (Steve Rosen), and nondischargeability of student loan debt (Traci Cotton). Thanks to all our contributors for their very fine work. We hope you find some helpful nuggets.

 

Remember to hold November 4th and 5th for this year’s OGC Legal Conference.

 

Best wishes to all,

 

Dan Sharphorn

 

<back to top>


New Attorneys at OGC

 

Please join me in welcoming a new attorney to OGC:

  • Paul Steinkraus
    Business Law Section

Paul comes to us from a very distinguished legal career at Ford Motor Company.  He began as an attorney working on real estate and purchasing matters and then served as senior attorney at Ford of Europe, counsel at Ford Motor Credit Company, counsel for Ford’s international operations and ended his service as vice president-general counsel for Ford Asia Pacific & Africa, stationed in Bangkok, Thailand.  Paul chose Austin as his retirement home over returning to Dearborn, Michigan.  Paul will devote his considerable talents to assisting with the strategic sourcing initiatives for the System Purchasing Alliance, which supports all 15 UT institutions in complex contracting and procurement matters to achieve cost savings and purchasing efficiencies.

<back to top>


**NEWSFLASH** **NEWSFLASH** **NEWSFLASH**

 

CAMPUS SPEECH NEWS

 

In Sonnier v. Crain, 2010 WL 2907484 (July 27, 2010), the U.S. Fifth Circuit Court of Appeals affirmed in part and reversed in part the District Court’s denial of a preliminary injunction challenging defendant university’s speech policy regulating the time, place and manner of speech by non-students on defendant’s campus. The court affirmed the denial of a preliminary injunction seeking to bar the enforcement of provisions of the speech policy requiring 7 days advance filing of a request for a permit to assemble; limiting the amount of time an individual or organization may speak to no more than 2 hours once per week; requiring the disclosure of personal information about permit applicants, and limiting assemblies and demonstrations to specific areas on campus. The court found that these restrictions were content-neutral on their face and were narrowly tailored to serve significant governmental interests. The court, however, reversed the district court and granted a preliminary injunction barring the enforcement of defendant’s policy requiring applicants to be responsible for the cost of security beyond that normally provided by the university, because the policy gave the university sole discretion to determine the need for and the amount of security without reference to objective factors to be relied upon in making the determination.

<back to top>


Texas Laws You May Have Missed Affecting Medical Records and Medical Billing Records

 

by Barbara Holthaus (General Law)

 

Feeling inferior because the student health center at your Academic institution is not subject to HIPAA1 and you don’t have HITECH2 horror stories to swap at seminars?  Bummed because the Open Records folks won’t let you argue that HIPAA applies to the health records at your health institution’s hospital?  If so, take heart - changes to state law clarify that medical records and billing records maintained in electronic form are subject to the Texas breach notification laws. If these records are breached, the institution must provide breach notifications to all affected individuals whose records were the subject of the breach. Another change now requires that any medical records and medical billing records held by a UT System institution that provided the services are confidential under Texas law and must be withheld under the Texas Public Information Act.
 
New Texas State Laws Now Cover Medical Records and Billing Records Not Subject to HIPAA/HITECH

 

By now, most of us have gotten the message that only institutions that meet the definition of a “Covered Entity”3 as that term is defined by HIPAA must comply with the HIPAA Privacy and Security rule and the new HITECH Breach Notification rules that apply to “Protected Health Information” (PHI).4  We also know that PHI that is subject to HIPAA does not include “education records” covered by FERPA5, student treatment records held by a campus student health center or counseling center,6or employment records held by System institution in its role as an employer.7

 

However, due to HB 2004, enacted during the 81st legislative session, information that identifies an individual and relates to:

  • the physical or mental health or condition of the individual;

  • the provision of health care to the individual; or

  • payment for the provision of health care to the individual;

 

is now part of the definition of “Sensitive Personal Information” protected by Chapter 521 of the Texas Business & Commerce Code

 

Under Business & Commerce Code Chapter 521, if a business maintains any electronic data bases that contain “sensitive personal information”, in “unencrypted form” the affected business must provide individual notices about the breach to all individuals who are affected by the breach.8

 

HB 2004 also added Government Code § 2054.1125, which clarifies that state agencies and public institutions of higher education, including UT System, UT System Administration and all UT System institutions are businesses that must comply with Business & Commerce Code Chapter 521.

 

All UT System institutions, regardless of whether they are required to comply with HIPAA, must now maintain and monitor the security of their records that consist of or contain medical and/or medical billing records.9 In cases where the Texas state breach law and HIPAA/ HITECH breach regulations both apply to particular information, the notices will be governed by the HIPAA/HITECH breach requirements, since the HIPAA regulations and law “preempt” (or trump) state law breach notice requirements. So, part of the required breach analysis that an institutions that has medical records and medical billing records, some of which are subject to HIPAA and some which are not, will be to figure out if the data that was breached constitutes PHI that is subject to HIPAA. If so, the HITECH requirements and the institution’s HIPAA/HITECH breach policies will apply. If not, the breach must then also be analyzed under Business & Commerce Code Chapter 521 and the requirements of that statute will apply.

 

Examples of medical records that are not subject to HIPAA that may be held by an institution include employee records that contain medical records to document a request for FMLA leave, sick leave pool access, worker’s compensation claims, a request for an accommodation under the Americans with Disabilities Act, or student treatment records held within or outside of the institution’s student health center.

 

Examples of medical payment records that are not subject to HIPAA that may be held by an institution include records claims paid under a System or university sponsored insurance plan that is not subject to HIPAA (for example a long term care or disability plan), or a claim paid to a provider at a student health center for treatment of a student.

Business & Commerce Code § 521.023 requires that if records that fall under the definition of “sensitive personal information” are the subject of a breach, the individuals whose “sensitive personal information” was breached must be notified in writing.

 

A “breach” is defined as any unauthorized acquisition that compromises the security, confidentiality or integrity of computerized sensitive personal information.10 However, “good faith” acquisition of such data is not a breach if the access is by an employee or agent of the institution unless the accessed data is disclosed in an unauthorized manner.11 This appears to mean that if an employee or agent (such as a vendor to whom the data is outsourced) accesses the data in error, but make no use of it and/or has not re-disclosed the data for an unauthorized purpose, no notification is required.

 

Notifications may be given by providing written notice or, if the individual has previously agreed to accept electronic communications from the entity, via e-mail. If the cost of the required written or e-mailed notices will exceed $250,000, the breach affects more than 500,000 individuals, or there is not sufficient contact information the notices may be given by e-mail - if the entity has the e-mail address - even without prior consent to communicate via e-mail; or, the entity may post a conspicuous notice on its website; or, it may publish notices in or broadcast notices on statewide media.12< In addition, if the incident requires notices to more than 10,000 persons, the entity must also notify each consumer reporting agency that maintains files on consumers on a nationwide basis about the notices, presumably so the reporting agency can prepare for the expected onslaught of inquiries by affected individuals.13

 

Notices must be provided “as quickly as possible” but may be postponed as necessary to determine the scope of the breach and restore reasonable integrity of the data system.14 In addition, notices may be delayed at the request of a law enforcement agency if it determines a criminal investigation will be impeded by the notifications.15

 

Institutions should have protocols and policies in place not only to avoid breaches whenever possible, but should also have protocols and policies for responding to and investigating potential breaches, for complying with applicable requirements when an actual breach occurs and performing all mitigation possible to prevent a similar incident from occurring in the future.  

 

In formulating its response to a breach, an institution may wish to expand its response beyond the minimal efforts required to avoid the legal sanctions imposed for failure to comply with these statutes.16 Studies have indicated that individuals whose data has been the subject of a breach often terminate their relationship with the entity soon after.  In addition, breaches often subject the affected entity to public scrutiny and media attention. This makes it important for institutions to handle even suspected breaches with utmost care and to be prepared to strive to achieve both transparency and seamlessness in its communications about the event.  Institutions may want to consider voluntarily providing notices and response that exceed the minimum requirements of the applicable law in order to mollify affected individuals.

 

Finally, since System remains responsible for compliance with applicable breach notification laws for any breaches that occur with respect to System information that has been outsourced to a vendor or other third party, all of an institution’s contracts that involve access to, or collection or storage of System-owned medical information or medical billing information should ensure that the vendor’s data plans for securing and monitoring the security of System’s data are adequate.  The vendor also must agree to notify the institution as soon as it becomes aware of any breaches and provide any information required by System to meet its notification and mitigation obligations.

 

These changes to the Texas breach reporting provisions narrow the gap that previously existed between state and federal requirements as to how and when an individual must be informed about breaches affecting his or her medical and medical payment records, although a few discrepancies remain. For example, the new HIPAA/HITECH breach notification rules have a specific sixty day period in which to provide notice. The requirements apply to breaches of paper records containing PHI as well as electronic data. A notice is not required if the Covered Entity determines that the breach did not pose a significant risk of financial, reputational or other harm. Under Texas law, a notice must be given “as soon as possible” and is required only for a breach that involves sensitive personal information in electronic form. On the other hand, although state law contains an exception for internal exposures, it does not leave it to the entity to determine whether the breach poses a risk of harm to the individual. Both reporting schemes serve the same goal, to ensure that individuals have knowledge about security incidents that have a potentially negative impact so they can take steps to detect or prevent possible identity theft.

 

HIPAA Medical and Medical Billing Records Are Now Explicitly Covered by the Texas Public Information Act

 

HB 2004 also added Texas Health and Safety Code §181.006 to close a different type of privacy gap - this one addresses the privacy protections afforded by HIPAA to citizens who receive medical services from a health care provider employed by a state agency (including System institutions) or health care coverage provided by a plan operated by a state institution of higher education or other state agency.

 

Section 181.006 amends Health and Safety Code Chapter181 “Medical Records Privacy”, to provide that records held by a governmental unit that meets the definition of a “covered entity” as defined in §181.001(2),17  are not subject to release under the TPIA if they “reflect that an individual health received health care from the covered entity.”18

 

Section 181.006 ensures that the protections afforded by HIPAA to an individual’s patient’s PHI are not eliminated by the TPIA simply because the medical or claims payment services offered to the individual were performed by a health care provider employed by or a health plan operated by the a governmental agency. Prior to passage of this amendment, the Texas Public Information Act was interpreted to trump the restriction placed by HIPAA on the release of PHI. This meant that the same PHI that if held by a provider or payor that was not part of a state agency or institution of higher education was protected by HIPAA, could not be withheld on the basis that it was protected by HIPAA if requested under an Open Records request from a provider or payor that was part of state agency. Instead, the agency or institution would have to establish that a Texas state privacy law also made the information confidential under state law.

 

This TPIA exception is particularly useful to System institutions that operate care facilities that are not staffed by physicians and/or mental health care providers and do not meet the definition of a licensed hospital as defined in Chapter 241 of the Texas Health & Safety Code. The only state law provisions that clearly make medical records confidential by law in the hands of a medical care provider are Chapters 159 and 160 of the Occupations Code, which applies only to physician records; Chapter 611 of the Health & Safety Code, which applies only to records created by a mental health provider or physician; and, Chapter 241 of the Texas Health & Safety Code, which applies only to entities that meet its definition of a “hospital.”  Therefore, this exception is crucial to permit System institutions that operate such clinics to ensure the privacy of its patients.

 

This new section does not change the availability of medical or medical billing records under a TPIA request if the records do not reflect health services provided by the institution as a covered entity. For example, the availability of an employee’s HR record that contains medical information from a provider not within the institution would have to be analyzed under other potentially applicable exceptions to the TPIA.

 

The Bottom Line:  Employees may now take FMLA leave if their closest family members suffer a serious injury or illness while on active duty in the Armed Forces (including the activated National Guard and Reserves). Soon, employees will be eligible to take FMLA leave if they suffer a “qualifying exigency” because their family members are on active duty or are called to active duty.

 

If you have any questions regarding this article, please contact Barbara Holthaus by email or at (512) 499-4617.

 

<back to top>

_____________________

 

1The Health Information Portability and Accountability Act of 1996 as amended by the HITECH Act, plus the Privacy and Security Rules and the other so-called “Administrative Simplification” regulations adopted to implement HIPAA.


2The Health Information Technology for Clinical and Economic Health (“HITECH”) Act of 2009. Among other things, HITECH and regulations adopted to implement HITECH require HIPAA Covered Entities and their Business Associates to report breaches of PHI protected by HIPAA to affected individuals and the Department of Health & Human Services (HHS) which enforces HIPAA. It also makes Business Associates directly responsible to HHS for complying with certain aspects of HIPAA. See for more info about the HITECH Act see The Forseeable Future e-Newsletter article on HITECH.


3Covered Entity is defined by HIPAA as a health plan; a health care clearinghouse; or a health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA. See 45 CFR §160.103.


4Protected Health Information (PHI) is generally defined by HIPAA as information held by or on behalf of  a HIPAA covered entity that is a subset of health information, including demographic information collected from an individual, and; is created or received by a health care provider, health plan, employer, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual; or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.


5The Family Educational Rights and Privacy Act of 1974 , as amended, 20 U.S.C. § 1232g, requires an institution of higher education to maintain the privacy and confidentiality of all education records maintained by the institutions about a student who is or was in attendance at the institution. Regulations implementing FERPA are at http://www2.ed.gov/policy/gen/reg/ferpa/index.html.


620 USC §1232g(a)(4)(B)(iv).


7See subsection (2)(ii) of definition of PHI at 45 CFR §160.103.


8The complete definition, at Business & Commerce Code §521.053(a)(2) is:

(2)"Sensitive personal information" means, subject to Subsection (b):
(A) an individual ’s first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted:
(i) social security number;
(ii) driver ’s license number or
government-issued identification number; or
(iii) account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual ’s
financial account; or
(B)  information that identifies an individual and relates to:
(i) the physical or mental health or condition of the individual;
(ii) the provision of health care to the individual; or
(iii) payment for the provision of health care to the individual.

9This includes records that are outsourced, including records collected by third parties in the course of providing services on behalf of UT System or held in applications, such a software or platforms used by System but owned by a vendor.


10Business & Commerce Code §521.053(a).


11Id.


12In cases where a substantial number of affected individuals reside outside of Texas, institutions should, for a variety of reason, consider voluntarily publishing in a nationwide media source as well.


13Id. at (b).


14Id. at (c).


15 Id. at (g).


16Failure to comply may result in civil fine of between $2,000 and 50,000 for each violation. The Texas State Attorney General may also bring an action against the offending entity for an injunction or restraining order and is entitled to attorney’s fee’s court costs and investigative costs incurred. Business & Commerce Code § 521.151.


17For purposes of Health and Safety Code Chapter 181, the term “covered entity” is defined §181.001(2) as any person who:

(A) for commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information. The term includes a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site;
(B) comes into possession of protected health information;
(C) obtains or stores protected health information under this chapter; or
(D) is an employee, agent, or contractor of a person described by Paragraph (A), (B), or (C) insofar as the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information.

18Health and Safety Code §181.006(1).


P2P Compliance Under the HEOA: Meeting The July 2010 Regulatory Deadline

 

by Steve Rosen (Business Law)

 

The peer-to-peer (P2P) file sharing provisions in the Higher Education Opportunity Act of 2008 (“HEOA”) are about to lose their baby teeth as the Department of Education’s (“ED”) related final regulations become effective July 1, 2010.  If you work in your institution’s student affairs or technology services departments, now is the time to confirm that your campus has evolved from “good faith” compliance to squarely meeting the requirements of the regulations.

 

Almost since its inception, P2P file sharing has received a lot of negative attention because of its potential for improper distribution of copyrighted material (such as the Napster service in the late 1990s, used by many to illegally exchange mp3-formated copyrighted music).  P2P file sharing applications allow a computer to connect to a network of similarly-formatted P2P computers and, once connected, make it possible to upload, download and share files with other users in the community.  While infringing P2P uses get all the press, there are legitimate P2P uses as well (imagine members of a geographically-dispersed research team sharing data and content through a P2P network), and so the trick is understanding how to distinguish between illegal and legal network usage without actually introducing Big Brother into a dormitory room or campus office. 

 

For content providers, the original strategy to control illegal file sharing focused on litigation.  Recently, content providers have largely abated their broad-based end user litigation program, but the reality is that the playing field has simply shifted.  Instead of litigation, content providers have focused their efforts in recent years on working cooperatively with ISPs and promoting anti-piracy programs at educational institutions.  In the words of the Recording Industry Association of America (“RIAA”):

Educational institutions are uniquely positioned to shape student attitudes toward copyright.  Universities can increase network efficiency, reduce exposure to viruses, and ultimately reduce operating costs by adopting and consistently enforcing strong acceptable use policies, implementing technologies, and facilitating access to convenient, inexpensive, and legal alternatives.

The HEOA mirrors these goals almost precisely.  Linking institutional eligibility for student loan and assistance to HEOA compliance, the HEOA outlines several requirements with respect to curbing illegal P2P activity.  Most obviously, the HEOA requires institutions to inform and educate.  Institutions must make “an annual disclosure that explicitly informs students that unauthorized distribution of copyrighted material, including peer-to-peer file sharing, may subject students to civil and criminal liabilities.”  Institutions must also summarize the penalties for violation of federal copyright laws and further describe the institution’s policies (including disciplinary actions) with respect to illicit P2P activity. 

 

The HEOA also requires institutions to develop plans to support their educational campaigns and to “effectively combat” the illegal distribution of copyrighted material.  Institutions should consider the use of technology-based deterrents (more on that below) as a part of the plans.

 

Finally, the HEOA requires institutions, “to the extent practicable,” to offer alternatives to illegal downloading of P2P distribution of intellectual property, as determined by the institution in consultation with its chief technology officer. 

How are these three requirements to be implemented?  The HEOA’s legislative history and ED’s final regulations offer considerable help here. 

 

First, with respect to the disclosures and policies, ED has developed a summary of the civil and criminal penalties for violation of Federal copyright laws to include as part of the Federal Student Aid Handbook.  Beyond the copyright law summary provided by ED, though, each institution must still prepare its own summary of how the institution addresses the unauthorized distribution of copyrighted material.  If your institution is wondering what a conforming policy should include, the non-profit EDUCAUSE (which promotes thoughtful discussion and analysis of information technology issues for higher education) offers an outstanding repository of different policies, all of which reflect the diverse perspectives and points of emphasis one might expect of the higher education community.  The take-away here is that each institution should formulate a plan that reflects the mandate of the legislation (educating prospective and enrolled students about copyright compliance) and also the institution’s own policies and procedures for encouraging compliance (and how it deals with non-compliance).

 

Second, ED explained in its final regulations that the institutional plan to combat the illegal distribution of copyrighted material should be in writing, periodically reviewed using “relevant assessment criteria” to be determined by each institution, and should consider four categories of “technology-based deterrents”:

  • Bandwidth shaping (managing or controlling certain activities based on the types of activities being processed through a network);

  • Traffic monitoring to identify the largest bandwidth users (the examination of traffic based on bandwidth usage);

  • A vigorous program of accepting and responding to Digital Millennium Copyright Act (“DMCA”) notices; and

  • A variety of commercial products designed to reduce or block illegal file sharing.

Here is where you will need to consult your institution’s information technology experts.  As the legislative history supporting the HEOA makes clear, each institution has the discretion to determine which technology-based deterrent “best meets its needs, depending on that institution’s own unique characteristics, such as cost and scale.”  The institutions within the University of Texas System, for example, use some or all of these technologies, but each institution determines for itself which technology and program is best based on its own network architecture.  Many institutions use a combination of a commercial intrusion prevention system that has deep packet traffic inspection capacity, together with traffic monitoring and DMCA programs to deter, identify and control illegal P2P activity.  UT Austin employs a novel bandwidth accounting program that allocates to network users a certain amount of bandwidth each week.  Users need to pay for usage exceeding the quota.  This system has the advantage of managing bandwidth consumption without relying upon a commercial product to accurately identify illegal P2P activity (activity that can sometimes be encrypted), though it does require an internal registration system that can map IP addresses to users (which can be an expensive proposition).  The University of Michigan also employs a successful program – “BAYU” (Be Aware You’re Uploading) – that utilizes a bandwidth shaper together with an internal registration system, and it has made the details of its program freely accessible for others to emulate.

 

Last, ED’s regulations provide that institutions must, “[t]o the extent practicable, offer legal alternatives for downloading or otherwise acquiring copyrighted material, as determined by the institution.”  EDUCAUSE maintains an extensive listing of services that meet this requirement, though again institutions are not required to offer any such services if they determine it is not practicable to do so.  Regardless of whether any such services are offered, ED’s regulations require that institutions “periodically” review the legal alternatives for downloading and make available the results of the review to students “through a web site or other means.” 

 

The Bottom Line:  The HEOA requires a thoughtful, careful discussion of how to address and implement an integrated approach to illegal P2P file sharing.  While the regulatory burden is significant, the legislation also offers substantial discretion to higher education institutions to fashion an informational and technology-based program best-suited for each institution.

 

If you have any questions regarding this article, please contact Steve Rosen by email or at (512) 499-4337.

 

<back to top>


Expansion of CMS Claim Review Programs

 

by Larry Plutko (Compliance)

 

Prior to the passage of HIPAA in 1996, the Centers for Medicare and Medicaid Services (CMS) relied on Fiscal Intermediaries (Part A) and Carriers (Part B) to operate fraud detection programs and to identify healthcare providers suspected of wrongful coding and billing practices.  Since 1996, however, CMS has implemented several initiatives to: (1) prevent improper payments before the Medicare claim is processed for payment and (2) recoup improper payments after the claim has been processed and paid.

 

The prepayment programs include the National Correct Coding Initiatives Edits (NCCI) and the Medically Unlikely Edits (MUE), whereas the post-payment programs include Comprehensive Error Rate Testing (CERT) and Recovery Audit Contractors (RAC).  The RAC program has gained the most notoriety but, as we will see below, post-payment program expansion is currently underway across the country and in Texas.

 

Medicare Integrity Program

 

HIPAA includes a provision establishing the Medicare Integrity Program (MIP).  This gives CMS specific contracting authority to enter into contracts with entities to strengthen CMS’ ability to reduce fraud and abuse in the Medicare program.  CMS began transferring responsibility for program integrity for Part A and Part B to Program Safeguard Contractors (PSCs).  Over the last decade, PSCs have pursued alleged Medicare overpayments from Community Mental Health Centers (CMHCs) and other healthcare providers nationwide.  PSCs are now being replaced by Zone Program Integrity Contractors (ZPICs) which adds another acronym to the ever growing, regulatory alphabet soup.

 

Medicare Prescription Drug, Improvement, and Modernization Act of 2003

 

As part of the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA), Congress instructed HHS to conduct a three year demonstration project examining the use of Recovery Audit Contractors (RACs) to detect and correct improper payments.  In early 2005, CMS announced that three RACs would evaluate claims in three states as part of the pilot:  PRG Schultz, Inc. (California), HealthData Insights (Florida), and Connolly Consulting Associates (New York).  The contractors reviewed Medicare claims dating from October 2001 to September 2007.  They utilized proprietary automated software for data-mining and were paid on a contingency basis.  The demonstration resulted in $1.03B in improper payments which includes $992.7M in overpayments recouped and only $37.8M in underpayments repaid.  Each RAC jurisdiction was expanded in 2007 to include Massachusetts, South Carolina, and Arizona.

 

Tax Relief and Health Care Act of 2006

 

Based on the success of recoupment during the demonstration phase, Congress quickly passed legislation to expand the RAC program nationally before the demonstration project would conclude.  A provision in the Tax Relief and Health Care Act of 2006 authorized CMS to expand the program to all 50 states by 2010.  It should be noted that the Phase Two RAC expansion is in place in Texas, which is part of Region C, awarded to Connolly Consulting Associates. The RAC expansion amounts to a sea change for healthcare billing compliance and has led to the development of an elaborate appeals process including the use of RAC dispute attorneys.

 

Further Expansion of Post-payment Programs

 

The success of the RAC program has led federal and state agencies to contract with entities to data mine for improper billing and overpayments.  There are three groups active in this latest wave:

 

Medicare Administrative Contractors (MACs) process claims for both Part A and Part B services and are charged with overseeing claim completion and accuracy in addition to determining correct payments for services. Since MACs review the facility side and professional side related to the same beneficiaries, CMS feels that the MACs will be able to review discrepancies between the two sets of claims, revised payments, and/or increase denials.

 

Zone Program Integrity Contractors (ZPICs), as mentioned earlier, took up responsibility from the PSCs and are closely aligned to the MAC jurisdictions.  Health Integrity, LLC is the contractor for Texas. The ZPICs are authorized to conduct investigations, provide support to law enforcement, and conduct audits of Medicare Advantage plans.  Some ZPICs will also concentrate on various Medicare billing “hot targets.”

 

Medicaid Integrity Contractors (MICs), Health Management Solutions in Texas, review Medicaid claims to determine whether inappropriate payments or fraud may have occurred.  In addition, the MICs will audit Medicaid claims and identify overpayments and areas of high risk for payment errors or fraud.  Similar to the RACs, the MICs employ data- mining method as part of post-payment claim review.

 

Providers have voiced concerns that the same CMS ordered safeguards contained in the RAC program are not present in the other review contractors.  For example, there do not appear to be limits on the number of medical records or claims that can be requested for review, whereas the RAC program has limits.  MACs can conduct post-payment reviews up to four years after payment, in contrast to the three-year limit for the RACs.  MACs will not be required to provide reimbursement for copying of medical records as RACs are required to do for inpatient records.  Finally, MIC processes vary by state, providing concerns to providers with facilities in more than one state.

 

The Bottom Line:  The so-called “RAC Attack” has expanded nationwide, including Texas, and now involves Medicaid claims.  Systemwide Compliance will continue to keep UT System institutions informed as CMS Claims Review programs expand and impact our facilities.  Systemwide Compliance is collaborating with Health Affairs and OGC through the UT System Medical Billing Compliance Advisory Committee to implement a RAC Readiness plan at the health institutions.  Each health institution president has identified a high-level individual, such as a chief financial officer, to oversee an institutional RAC committee charged with preparing for and responding to RAC activity and to work with the Institutional Compliance Officer and staff. 


If you have any questions regarding this article, please contact Larry Plutko or C.J. Wolf, M.D.,  by email or by phone at (512) 579-5096.

 

<back to top>


Nondischargeability of Student Loan Debt: Impact of United Student Aid Funds, Inc. v. Espinosa

 

by Traci Cotton (Claims & Financial Litigation)

with contributions by Brooke Brightwell (Summer Law Clerk)

 

Student loan debt (the “Debt”) is generally not dischargeable in bankruptcy.  See 11 USC §523(a)(8). However, the debtor can file a separate adversary proceeding (see Federal Rules of Bankruptcy Procedure, Rule 7001, et seq.) under the bankruptcy case to seek a discharge of the Debt.  To grant the debtor a discharge of the Debt, the court must find that it will work an undue hardship on the debtor if he is required to pay the Debt. Until recently, this was the only method available to the debtor if he wanted to obtain a discharge of the Debt; the provisions of §523(a) (8) were self-executing and the creditor reaped the benefit of the section without taking any affirmative action.

 

A recent US Supreme Court decision, United Student Aid Funds, Inc.  v. Espinosa, 130 S.Ct. 1367 (2010), may allow the debtor to circumvent the undue hardship discharge process and ultimately obtain a discharge of the Debt, if certain conditions are met. 

 

Francisco Espinosa filed for bankruptcy under Chapter 13 in 1992. His proposed bankruptcy plan provided for repayment of the principal of his Debt, which was owed to United. However, the plan also provided for discharge of the related interest, which is generally not dischargeable under §523 (a) (8).  The court entered an order confirming the plan, which included the provision calling for discharge of the interest. Espinosa completed his payments according to the plan (principal only, no interest) and the general discharge order was entered by the court.  Since the general discharge order had been entered, and no separate adversary proceeding had been filed seeking discharge of the interest, United began collection efforts as to the interest. At this point, Espinosa sought enforcement of the confirmation order’s provision regarding discharge of the interest. Although the general discharge order originally excepted the interest from discharge, Espinosa successfully argued that the confirmation order should preempt.

 

The issue before the US Supreme Court dealt with whether the confirmation order was void because the dischargeability of interest was not supported by a separate adversary proceeding and a finding of the required undue hardship.  The court held that the confirmation order was not void, but clearly indicated that its holding was limited to the arguments United advanced. In other words, the court left open the possibility that other arguments could have prevailed.

The court went on to confirm the self-executing nature of the non-dischargeability provision, §523(a) (8), and reinforced that bankruptcy judges should not make dischargeability findings unless the adversary proceeding process is followed, and a finding of undue hardship is made. 

 

The opinion also indicated that the creditor should object at the earliest possible time to prevent the bankruptcy court from entering a confirmation order containing dischargeability language without following the appropriate process. So, despite the affirmation by the court that an adversary proceeding should be filed to obtain a discharge in this situation, it now becomes the creditor’s responsibility to review proposed plans for inappropriate dischargeability language; and to object before the order confirming is entered.  If this is not done, the creditor should appeal as soon as the confirmation order is entered. If appeal deadlines have run, the creditor should explore other procedural means of raising its objection to the confirmation order, before the case is closed.   Keep in mind that, although the opinion is limited to review of an order confirming the plan, it is possible that the debtor could hide dischargeability language in other pleadings.

 

The Bottom Line:  Institutions should exercise diligence in reviewing the bankruptcy documents they receive, especially proposed Chapter 13 plans. If discharge language affecting student loan debt is included, the institution should contact the Office of General Counsel immediately. If a debtor objects to collection attempts, claiming that he obtained a discharge of the student loan debt, the institution should contact the Office of General Counsel immediately.

 

If you have any questions regarding this article, please contact Traci Cotton by email or at (512) 499-4462.

 

<back to top>


The Texas Constitution and Below Market Leases

 

by Florence Mayne (Real Estate)

 

From time to time, University of Texas institutions are approached by third parties wanting to lease property from the institution for little or no cash rental, in exchange for services or other benefits to be provided to the institution.  One recent example, which was approved by the Board of Regents, is the American Cancer Society’s lease of land in the Texas Medical Center on land owned by the Board for the benefit of U. T. M. D. Anderson Cancer Center. The American Cancer Society will build a “Hope Lodge” for temporary residential services for cancer patients on the land.

 

Under Section 65.39 of the Texas Education Code, the Board of Regents has broad authority to sell or lease property owned by it.  That authority, however, is limited by Article III, Section 51 of the Texas Constitution, which provides, in part:

The Legislature shall have no power to make any grant or authorize the making of any grant of public moneys to any individual, association of individuals, municipal or other corporations whatsoever . . . .

Article III, Section 51 pertains to state property and contract rights, as well as to money. In an opinion addressing whether The University of Texas at Austin may provide space in university facilities to The University of Texas Law School Foundation rent-free, the Texas Attorney General reiterated the three requirements for compliance with Article III, Section 51:

  1. the grant of public property must serve a public purpose, appropriate to the function of a university;

  2. adequate consideration must flow to the public; and

  3. the university must maintain sufficient controls to ensure that the public purpose is actually achieved. 

Op. Tex. Att'y Gen. MW-373 at 1255 (1981).

 

The Attorney General noted that the determination of whether a public purpose is served is to be made by the Board of Regents in the first instance, and if challenged, ultimately by a court.  Id. 

 

Public Purpose and Adequate Consideration

 

Although stated as two separate requirements, the need to assure that the grant of public property serves a public purpose and the need to assure that there is adequate consideration are interconnected. Some of the key considerations are:

  1. The public purpose must be appropriate to the function of a university. 

  • The requirement that the public purpose be appropriate to the function of a university is a specific requirement in the Attorney General's opinion pertaining to The University of Texas Law School Foundation. Id. Some general public benefit will not be sufficient.

  • In an opinion pertaining to the City of College Station’s proposal to contribute money to the George Bush Library to be built on the Texas A&M University campus, the Attorney General stated:  "Accordingly, the city council would be well advised to determine what city purpose or purposes will be served by the library, and limit the use of city funds to such purposes, subject to controls to ensure that the city purposes are carried out." Op. Tex. Att'y Gen. DM-394 (1996) at 2160 (emphasis added).

  1. The public purpose must not be so general as to make it difficult to determine whether the university will actually benefit. 

  • An agreement that is too general in nature will not be sufficient to permit a governing body to make a decision with respect to whether a public purpose is served. In the opinion pertaining to the City of College Station’s proposal to contribute money to the George Bush Library to be built on the Texas A&M University campus, the Attorney General noted that the city's contribution was not designated for a particular program and therefore the city would be unable to determine if the expenditure will actually benefit the city.  Id.

  1. A factual analysis must be made to determine how the grant serves the public purpose.

  • In the opinion pertaining to The University of Texas Law School Foundation, the Attorney General suggested some possibilities for consideration by the Board of Regents with respect to how the foundation's presence in the law school serves a public purpose: the ease of access to employees, faculty and students with respect to the programs of the foundation and the savings realized by the foundation that would then flow to the university.  Op. Tex. Att'y Gen. MW-373 at 1256.

  1. The more below market the rent is, the greater the public purpose to be served must be.

  • As explained by a later Texas Attorney General opinion, "Article III, Section 51 of the Texas Constitution would not prohibit the lease of public property for less than fair market value if it served a public purpose." Op. Tex. Att’y Gen. JM-1156 at 4462 (1990).  That opinion dealt with the question of whether the state could lease space for a child-care facility in a state building for less than fair market value. The Attorney General noted that the bill authorizing the General Services Commission to lease space in a building for child-care purposes was accompanied by a bill analysis that set out the public purpose: the provision of convenient, economical, quality child-care services and its effect on employee morale, job satisfaction and productivity. The Attorney General opined that “[w]e think the courts would agree with the legislature that leasing space for child care facilities at a rate less than fair market value in order to improve employee performance is a public purpose.” Id. Note that neither the legislature nor the Attorney General contemplated that the lease would be rent-free, however.

  • An Attorney General opinion dealing with the authority of a county to furnish rent-free office space to a chamber of commerce concluded that the provision of rent-free space would violate the Texas Constitution.  Op. Tex. Att’y Gen. JM-753 (1987).  In that opinion, the Attorney General noted that the chamber of commerce is not an agent of the public and that the chamber of commerce’s presence is not necessary to the convenience of county employees or to those transacting business with the county.  Id. at 7229. 

Sufficient Controls to Ensure that the Public Purpose Is Met

 

The third requirement is that sufficient controls exist to ensure that the public purpose is met.  Some points to consider:

  1. The controls are typically contractual, but may also be non-contractual.

  • In analyzing whether controls existed to ensure that the public purpose was met in The University of Texas Law School Foundation matter, the Attorney General noted that the proposed memorandum of understanding between the university and the foundation contained promises that were too vague to be enforceable.  The Attorney General further noted that the foundation's compliance with its legal duties under its charter could not constitute consideration. The Attorney General, however, noted that the Board's authority to control the use of its space, the state auditor's authority to conduct audits and the fact that the foundation's records are subject to the public information act would constitute sufficient control.  Op. Tex. Att'y Gen. MW-373 at 1256-57

  1. The contractual agreement entered into by the parties must be sufficiently specific with respect to the obligations that serve a public purpose and with respect to how those obligations will be enforced.

  • In the opinion pertaining to the City of College Station's proposal to donate funds to the George Bush Presidential Museum, the Attorney General found the proposed agreement too general to provide sufficient controls to ensure that the public purpose would be met. The agreement simply stated that the library will be open to the public but did not state the number of days or how the city would enforce the requirement.  Op. Tex. Att'y Gen. DM-394 at 2160.

The Bottom Line:  A lease of U. T. property at less than fair market rental is constitutionally permissible if: (1) the lease meets the three requirements articulated by the Texas Attorney General: the lease serves a public purpose specific to the mission of the university, there is adequate consideration, and there are sufficient controls in place to ensure that the public purpose is met; and (2) a finding of public purpose is made by the Board of Regents.

 

If you have any questions regarding this article, please contact Florence Mayne by email or at (512) 499-4517. 

 

<back to top>


Resources from this e-Newsletter

<back to top>


Office of General Counsel
201 W. 7th Street
Austin, TX 78701
Tel: 512.499.4462
Fax: 512.499.4523
www.utsystem.edu/ogc/