Excellus Health Plan Pays $5.1M to OCR in Settlement Following Data Breach

By Linn Foster Freedman on January 22, 2021 Posted in HIPAA, Privacy and Security

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced that it had entered into a Resolution Agreement, Corrective Action Plan, and settlement with Lifetime Healthcare, Inc., the parent of Excellus Health Plan, over alleged violations of HIPAA relating to a data breach that occurred from December 23, 2013 through May 11, 2015. During that time, a cybercriminal obtained access to its IT systems and installed malware that allowed the intruder to obtain access to the protected health information of more than 9.3 million individuals. Continue Reading

Fifth Circuit Overturns “Arbitrary and Capricious” $4.3 Million HIPAA Penalty Against Hospital

By Conor Duffy on January 21, 2021 Posted in HIPAA, Privacy and Security

On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit overturned a $4.348 million penalty for alleged HIPAA violations assessed by the U.S. Department of Health & Human Services (HHS) against the University of Texas M.D. Anderson Cancer Center (Hospital). The case arises from an enforcement action undertaken by HHS following the Hospital’s self-disclosure of three separate instances of lost or stolen portable devices containing electronic protected health information (ePHI). The government’s investigation determined that the devices were not encrypted, and that the Hospital’s failure to encrypt the devices to protect the ePHI contained therein constituted a violation of HIPAA’s Privacy and Security Rules. After HHS imposed the penalty in 2017, the Hospital appealed the penalty first to an Administrative Law Judge, and then to HHS’s Departmental Appeals Board before petitioning the Fifth Circuit for review in 2019 (see our prior analyses of this case here).

OCR Announces it Will Not Impose HIPAA Penalties for Use of COVID-19 Vaccine Scheduling Apps

By Nathaniel Arden on January 21, 2021 Posted in COVID-19, Health Information Technology, HIPAA, Hospitals and Health Systems, Physicians and Allied Health Professionals, Privacy and Security

The Office of Civil Rights (OCR) issued a notice yesterday stating that it will not impose penalties for HIPAA non-compliance in connection with a covered entity health care provider’s or business associate’s good faith use of online or web-based scheduling applications (WBSAs) for the scheduling of appointments for COVID-19 vaccinations during the public health emergency. The notice is retroactively effective to December 11, 2020. OCR highlights to covered health care providers and business associates that its temporary lifting of HIPAA penalties applies only to scheduling of COVID-19 vaccinations and to no other activities. Continue Reading

HHS Proposes Modifications to the HIPAA Privacy Rule to Enhance Care Coordination and Management and Remove Barriers to Accessing Information

By Jean Tomasco and Conor Duffy on December 15, 2020 Posted in HIPAA, Privacy and Security

On December 10, 2020, the U.S. Department of Health and Human Services (HHS) announced proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, which is one of several rules that protect the privacy and security of individuals’ medical records and other protected health information (PHI). According to HHS, the proposed changes are intended to support individuals’ engagement in their health care, remove barriers to coordinated care and case management, and reduce regulatory burdens on the health care industry, while continuing to protect the privacy and security of individuals’ PHI. Continue Reading

In Anticipation of COVID-19 Vaccine Approval, Connecticut Governor Ned Lamont Issues Executive Order To Facilitate Vaccine Administration and Reporting

By Conor Duffy on December 11, 2020 Posted in Academic Medical Centers, Clinical Research, COVID-19, FDA, Government Enforcement, Healthcare Technology, Hospitals and Health Systems, Pharmaceuticals and Biologics, Pharmacy Law, Physicians and Allied Health Professionals, Reimbursement

On December 7, 2020, Connecticut Governor Ned Lamont signed Executive Order No. 9Q (the “Order”) in anticipation of the approval of COVID-19 vaccines. The Order addresses and expands COVID-19 vaccine administration, establishes flu vaccine reporting requirements for pharmacists, and limits out-of-network charges for administration of authorized COVID-19 vaccines. Specifically, the Order: Continue Reading

HHS Publishes Significant Updates to Anti-Kickback Statute Safe-Harbors and Beneficiary Inducement CMP Regulations

By Robinson+Cole's Health Law Group on December 9, 2020 Posted in Academic Medical Centers, Accountable Care Organizations, Ambulatory Surgical Centers (ASC), False Claims Act, Fraud and Abuse, Government Enforcement, Health Information Exchanges and Electronic Medical Records (EMRs), Health Information Technology, Home Health Agencies, Hospice, Hospitals and Health Systems, Medicare and Medicaid, Office of Inspector General, Pharmaceuticals and Biologics, Pharmacy Law, Physicians and Allied Health Professionals, Telemedicine

On November 30 and December 2, 2020, the Department of Health and Human Services Office of Inspector General (OIG) published two final rules (available here: November 30 Final Rule and December 2 Final Rule) which modify the safe harbor regulations to the federal Anti-Kickback Statute (AKS) and codify a new exception to the Civil Monetary Penalty (CMP) Rules related to beneficiary inducements. Most of the changes are effective January 19, 2021.

Together with the new physician self-referral law (also known as Stark) regulations published by the Centers for Medicare & Medicaid Services on December 2, 2020, these updates represent long-awaited changes to the federal fraud and abuse laws, and are part of the federal administration’s Regulatory Sprint to Coordinated Care (see our analysis of that final rule here).

Click here for our full article, which includes a detailed summary of the final rules.

CMS Publishes Monumental Changes and Updates to the Physician Self-Referral (Stark) Law Regulations

By Robinson+Cole's Health Law Group on December 4, 2020 Posted in Academic Medical Centers, Accountable Care Organizations, Fraud and Abuse, Government Enforcement, Health Information Exchanges and Electronic Medical Records (EMRs), Hospitals and Health Systems, Legislation, Medicare and Medicaid, Physicians and Allied Health Professionals, Reimbursement, Stark Law

On November 20, 2020, the Centers for Medicare and Medicaid Services (CMS) published its long-awaited and highly anticipated final rule updating regulations promulgated under the Physician Self-Referral or “Stark” law (the OIG simultaneously published updates to the Anti-Kickback Statute regulations). Among other things, CMS introduced new Stark exceptions for certain “value-based arrangements,” the donation of cybersecurity technology and services and limited remuneration to physicians; introduced new definitions and updated key terms, including “commercial reasonableness,” the “volume and value” standard and “fair market value”; and updated several existing exceptions, including the exception for the donation of electronic health record items and services. The changes to the Stark law regulations become effective January 19, 2021, except for the changes concerning profit shares and productivity bonuses for group practices, which go into effect January 1, 2022.

Click here for our full article, which includes a detailed summary of the final rule.

Massachusetts Federal Court Declines to Apply State Medical Peer Review Privilege in Federal Whistleblower Case

By Conor Duffy and Peter Struzzi on December 2, 2020 Posted in Academic Medical Centers, False Claims Act, Fraud and Abuse, Government Enforcement, Hospitals and Health Systems, Medical Staff and Peer Review, Physicians and Allied Health Professionals

On November 3, 2020, a Massachusetts Federal District Court issued a notable decision on the applicability of the state’s medical peer review privilege in a federal proceeding, determining that the privilege does not apply to documents requested in discovery as part of a qui tam False Claims Act (FCA) case. In United States ex rel. Wollman v. Massachusetts General Hospital, Inc. et al., Case Number 1:15-cv-11890-ADB, the court reviewed the purpose of the peer review privilege and precedent addressing the applicability of state privileges under the Federal Rules of Evidence, and concluded that the privilege should not apply because the “goal of the peer review privilege would not be thwarted if it was not applied” in a case predicated on alleged billing fraud. The court’s decision is instructive for health care providers and whistleblowers in connection with discovery and the applicability of medical peer review privileges to FCA cases. Continue Reading

Physician Self-Referral Law (Stark), Anti-Kickback Statute, and Beneficiary Inducement CMPs – HHS Releases Final Rules

By Melissa (Lisa) Thompson and Conor Duffy on November 21, 2020 Posted in Fraud and Abuse, Health Information Exchanges and Electronic Medical Records (EMRs), Health Information Technology, Healthcare Technology, Hospitals and Health Systems, Managed Care, Medicare and Medicaid, Office of Inspector General, Pharmacy Law, Physicians and Allied Health Professionals, Stark Law, Telehealth, Telemedicine

On November 20, 2020, the Department of Health & Human Services (HHS) released heavily anticipated final rules revising the regulatory exceptions to the Physician Self-Referral Law (also known as the Stark Law), the Anti-Kickback Statute (AKS) safe harbors, and the Beneficiary Inducements Civil Monetary Penalties (CMP) regulations. The changes to the regulations go into effect on January 19, 2021 (except for one change to the Physician Self-Referral Law that becomes effective January 1, 2022). In a separate rule also released November 20th, HHS removed safe harbor protection for rebates involving prescription pharmaceuticals and created a new safe harbor for certain point-of-sale reductions in price on prescription pharmaceuticals and pharmacy benefit manager service fees.

The full text of each rule is available below.

Final Physician Self-Referral Law Rule, Centers for Medicare & Medicaid Services (CMS): https://public-inspection.federalregister.gov/2020-26140.pdf
Final AKS Rule and Beneficiary Inducements CMP Regulations, Office of Inspector General (OIG): https://public-inspection.federalregister.gov/2020-26072.pdf
Final Rule on Rebate/Point-of-Sale Price Reductions Safe Harbor, OIG: https://public-inspection.federalregister.gov/2020-25841.pdf?utm_campaign=pi+subscription+mailing+list&utm_source=federalregister.gov&utm_medium=email

OCR’s Tenth Right to Access Settlement Is Small but Meaningful

By Linn Foster Freedman on November 19, 2020 Posted in HIPAA

The Office for Civil Rights (OCR) recently settled a tenth case under its right-to-access initiative with California-based Riverside Psychiatric Medical Group (RPMG), for $25,000.

Although a relatively small settlement in the amount paid, it shows that the OCR is taking patients’ requests for access to their medical records seriously, and that no complaint is too small to investigate and enforce. Continue Reading

This Blog/Website is made available by the lawyer or law firm publisher for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. By using this blog site you understand that there is no attorney client relationship between you and the Blog/Website publisher. The Blog/Website should not be used as a substitute for competent legal advice from a licensed professional attorney in your state. Any opinions expressed on this Blog/Website are opinions only of the author, expressed at the time the material is written based on information available to the author at that time, and are not opinions of the author's law firm or any of the author's or the law firm's clients. Regulations and other government action and guidance referenced on this Blog/Website have not necessarily been subject to judicial review and scrutiny. This Blog/Website is not intended to be attorney advertising. To the extent it might be deemed to be attorney advertising, it should not be considered advertising or to be seeking legal work in any jurisdiction in which the author is not admitted to practice law.