The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced that it had entered into a Resolution Agreement, Corrective Action Plan, and settlement with Lifetime Healthcare, Inc., the parent of Excellus Health Plan, over alleged violations of HIPAA relating to a data breach that occurred from December 23, 2013 through May 11, 2015. During that time, a cybercriminal obtained access to its IT systems and installed malware that allowed the intruder to obtain access to the protected health information of more than 9.3 million individuals. Continue Reading
On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit overturned a $4.348 million penalty for alleged HIPAA violations assessed by the U.S. Department of Health & Human Services (HHS) against the University of Texas M.D. Anderson Cancer Center (Hospital). The case arises from an enforcement action undertaken by HHS following the Hospital’s self-disclosure of three separate instances of lost or stolen portable devices containing electronic protected health information (ePHI). The government’s investigation determined that the devices were not encrypted, and that the Hospital’s failure to encrypt the devices to protect the ePHI contained therein constituted a violation of HIPAA’s Privacy and Security Rules. After HHS imposed the penalty in 2017, the Hospital appealed the penalty first to an Administrative Law Judge, and then to HHS’s Departmental Appeals Board before petitioning the Fifth Circuit for review in 2019 (see our prior analyses of this case here).
The Office of Civil Rights (OCR) issued a notice yesterday stating that it will not impose penalties for HIPAA non-compliance in connection with a covered entity health care provider’s or business associate’s good faith use of online or web-based scheduling applications (WBSAs) for the scheduling of appointments for COVID-19 vaccinations during the public health emergency. The notice is retroactively effective to December 11, 2020. OCR highlights to covered health care providers and business associates that its temporary lifting of HIPAA penalties applies only to scheduling of COVID-19 vaccinations and to no other activities. Continue Reading
On December 10, 2020, the U.S. Department of Health and Human Services (HHS) announced proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, which is one of several rules that protect the privacy and security of individuals’ medical records and other protected health information (PHI). According to HHS, the proposed changes are intended to support individuals’ engagement in their health care, remove barriers to coordinated care and case management, and reduce regulatory burdens on the health care industry, while continuing to protect the privacy and security of individuals’ PHI. Continue Reading
On December 7, 2020, Connecticut Governor Ned Lamont signed Executive Order No. 9Q (the “Order”) in anticipation of the approval of COVID-19 vaccines. The Order addresses and expands COVID-19 vaccine administration, establishes flu vaccine reporting requirements for pharmacists, and limits out-of-network charges for administration of authorized COVID-19 vaccines. Specifically, the Order: Continue Reading
On November 30 and December 2, 2020, the Department of Health and Human Services Office of Inspector General (OIG) published two final rules (available here: November 30 Final Rule and December 2 Final Rule) which modify the safe harbor regulations to the federal Anti-Kickback Statute (AKS) and codify a new exception to the Civil Monetary Penalty (CMP) Rules related to beneficiary inducements. Most of the changes are effective January 19, 2021.
Together with the new physician self-referral law (also known as Stark) regulations published by the Centers for Medicare & Medicaid Services on December 2, 2020, these updates represent long-awaited changes to the federal fraud and abuse laws, and are part of the federal administration’s Regulatory Sprint to Coordinated Care (see our analysis of that final rule here).
Click here for our full article, which includes a detailed summary of the final rules.
On November 20, 2020, the Centers for Medicare and Medicaid Services (CMS) published its long-awaited and highly anticipated final rule updating regulations promulgated under the Physician Self-Referral or “Stark” law (the OIG simultaneously published updates to the Anti-Kickback Statute regulations). Among other things, CMS introduced new Stark exceptions for certain “value-based arrangements,” the donation of cybersecurity technology and services and limited remuneration to physicians; introduced new definitions and updated key terms, including “commercial reasonableness,” the “volume and value” standard and “fair market value”; and updated several existing exceptions, including the exception for the donation of electronic health record items and services. The changes to the Stark law regulations become effective January 19, 2021, except for the changes concerning profit shares and productivity bonuses for group practices, which go into effect January 1, 2022.
Click here for our full article, which includes a detailed summary of the final rule.
On November 3, 2020, a Massachusetts Federal District Court issued a notable decision on the applicability of the state’s medical peer review privilege in a federal proceeding, determining that the privilege does not apply to documents requested in discovery as part of a qui tam False Claims Act (FCA) case. In United States ex rel. Wollman v. Massachusetts General Hospital, Inc. et al., Case Number 1:15-cv-11890-ADB, the court reviewed the purpose of the peer review privilege and precedent addressing the applicability of state privileges under the Federal Rules of Evidence, and concluded that the privilege should not apply because the “goal of the peer review privilege would not be thwarted if it was not applied” in a case predicated on alleged billing fraud. The court’s decision is instructive for health care providers and whistleblowers in connection with discovery and the applicability of medical peer review privileges to FCA cases. Continue Reading
On November 20, 2020, the Department of Health & Human Services (HHS) released heavily anticipated final rules revising the regulatory exceptions to the Physician Self-Referral Law (also known as the Stark Law), the Anti-Kickback Statute (AKS) safe harbors, and the Beneficiary Inducements Civil Monetary Penalties (CMP) regulations. The changes to the regulations go into effect on January 19, 2021 (except for one change to the Physician Self-Referral Law that becomes effective January 1, 2022). In a separate rule also released November 20th, HHS removed safe harbor protection for rebates involving prescription pharmaceuticals and created a new safe harbor for certain point-of-sale reductions in price on prescription pharmaceuticals and pharmacy benefit manager service fees.
The full text of each rule is available below.
- Final Physician Self-Referral Law Rule, Centers for Medicare & Medicaid Services (CMS): https://public-inspection.federalregister.gov/2020-26140.pdf
- Final AKS Rule and Beneficiary Inducements CMP Regulations, Office of Inspector General (OIG): https://public-inspection.federalregister.gov/2020-26072.pdf
- Final Rule on Rebate/Point-of-Sale Price Reductions Safe Harbor, OIG: https://public-inspection.federalregister.gov/2020-25841.pdf?utm_campaign=pi+subscription+mailing+list&utm_source=federalregister.gov&utm_medium=email
The Office for Civil Rights (OCR) recently settled a tenth case under its right-to-access initiative with California-based Riverside Psychiatric Medical Group (RPMG), for $25,000.
Although a relatively small settlement in the amount paid, it shows that the OCR is taking patients’ requests for access to their medical records seriously, and that no complaint is too small to investigate and enforce. Continue Reading