OCR Issues Five New HIPAA FAQs on Health Information Apps

On April 18, 2019, the Department of Health & Human Services Office for Civil Rights (OCR) issued five new FAQs addressing the applicability of HIPAA to the use of software applications (apps) by individuals to receive health information from their providers.

The new FAQs are available here under the Header “Access Right, Apps and APIs.”

In the FAQs, OCR:

  • Emphasizes that an individual’s right to access her/his protected health information (“PHI” or “ePHI”) under HIPAA generally obligates a covered entity to send PHI to a designated app, even if the covered entity is concerned about the app’s security or how the app will subsequently use or disclose the PHI;
  • Explains that a covered entity would not be liable under HIPAA for an app’s subsequent use or disclosure of PHI sent to the app at the direction of an individual, unless the app was “developed for, or provided by or on behalf of the covered entity – and, thus, creates, receives, maintains, or transmits ePHI on behalf of the covered entity”; and
  • Notes that a covered entity that transmits ePHI to an app via an unsecure manner or channel – at an individual’s direction – would not be responsible for unauthorized access during such transmission, but such an entity may want to counsel the individual regarding the security risks involved in such a transmission.

The FAQs also address potential liability of a covered entity’s EHR system developer under HIPAA following transmission of ePHI to an app on behalf of the covered entity. OCR similarly counsels that liability could attach under HIPAA where the EHR system developer owns the app or has a business associate relationship with the app developer, and makes the app available to, through or on behalf of the covered entity. OCR also notes that “an app’s facilitation of access” to an individual’s ePHI does not in itself create a business associate relationship between the app and a covered entity or EHR system developer.

Ultimately, the new FAQs provide important guidance for covered entities, EHR developers and app developers on the intersection of new forms of technology – such as wearables and health tracking apps – with HIPAA and health care providers. The FAQs also provide a reminder regarding the limits on the applicability of HIPAA, and reiterate the importance of HIPAA’s right to access for individuals.

CMS Announces New Direct Contracting Care Models

On April 22, 2019, the Centers for Medicare and Medicaid Services (CMS) announced two new voluntary risk-sharing payment models—Professional Population-Based Payment (PBP) and Global PBP. Under the Professional PBP model, CMS will pay participating organizations (referred to as Direct Contracting Entities or DCEs) a monthly, risk-adjusted primary care capitation payment, as well as 50 percent of shared savings/losses for enhanced primary care services. The Global PBP model, which is aimed at larger organizations, offers a higher level of risk and reward. DCEs participating in the Global PBP will receive/be responsible for 100 percent of shared savings/losses and will have two capitation payment options. The first option is the same primary care capitation payment as in the Professional PBP model, and the second option is a total care capitation payment for all services provided by the DCE and preferred providers with whom the DCE has an agreement. Under either model, DCEs may offer patients certain “benefit enhancements” for the purpose of promoting accessibility to innovative and affordable care. Continue Reading

Texas Health System MD Anderson Seeks 5th Circuit Review of HHS Determination that HIPAA Required Encryption of its ePHI

On April 8, 2019, The University of Texas MD Anderson Cancer Center (MDA) filed a petition with the U.S. Court of Appeals for the Fifth Circuit seeking review of a decision by the Department of Health & Human Services’s (HHS) Departmental Appeals Board (DAB) Appellate Division to uphold $4.35 million in civil money penalties (CMPs) assessed against MDA by HHS for alleged violations of HIPAA’s Security and Privacy Rules.

The DAB’s decision, issued on February 8, 2019, affirmed a 2018 decision by an Administrative Law Judge that sustained CMPs issued against MDA arising from three HIPAA breaches in 2011 and 2012 (see our previous analysis of the ALJ’s decision here). Continue Reading

OIG Approves of Free In-Home Follow-Up Care Program Targeting High Risk CHF and COPD Patients in Advisory Opinion

On March 6, 2019, the U.S. Department of Health & Human Services Office of Inspector General (OIG) issued a favorable advisory opinion that allows a nonprofit medical center (“Center”) to offer free, in-home follow-up care after a recent hospital admission for qualifying patients (the “In-Home Program”). In Advisory Opinion No. 19-03, the OIG concluded that although services furnished to qualifying patients under the In-Home Program would constitute remuneration to patients under the Anti-Kickback Statute (AKS) and the Civil Monetary Penalties law (CMP), the OIG would not impose sanctions on the Provider due to the low-risk nature of the In-Home Program.

The Provider furnishes a range of inpatient and outpatient hospital-based services, and currently offers in-home care to qualifying high-risk patients suffering from congestive heart failure (CHF) who (i) are currently admitted as inpatients of the Provider or (ii) were admitted within the previous 30 days and are being treated by the Provider’s outpatient cardiology department (“Current Arrangement”). Under the Current Arrangement, a clinical nurse leader must determine that the patient is a high risk for inpatient readmission using an industry-standard risk assessment tool, the patient must be willing to enroll in the program after consultation with the clinical nurse leader, the patient must seek follow-up care at the Provider’s CHF center, and the patient must live in the Provider’s service area. Continue Reading

Series of 2019 Enforcement Actions Highlight Continued Federal and State Scrutiny of Health Care Billing in Connecticut

Since the beginning of 2019, federal and state authorities in Connecticut have announced a number of enforcement actions targeting alleged health care fraud in the state. These cases are a reminder to providers of heightened criminal and civil scrutiny of arrangements implicating health care fraud and abuse laws in the state, and also reflect the extensive federal-state cooperation between the Department of Justice (DOJ) and Office of the Attorney General (AG) in investigating fraud and abuse. That federal-state cooperation is part of Connecticut’s Interagency Fraud Task Force, an initiative started in 2013 to prosecute fraud that includes multiple Connecticut agencies, as well as DOJ and the Office of Inspector General (OIG) within the Department of Health & Human Services (HHS). Continue Reading

CBD Update: FDA Issues Statement, Calls Public Hearing, and Announces Warning Letters on Products Containing Cannabis and its Components

On April 2, 2019, the Federal Food and Drug Administration (FDA) issued a statement and announced a public hearing on consumer products derived from cannabis and its components, including cannabidiol (CBD). Recognizing the need to provide clarity on the authority of FDA to regulate these products, and what pathways are available for marketing them, the agency outlined its next steps:

  • public hearing will be held on May 31, and written comments are being sought from the public.
  • FDA is forming a high-level internal agency working group to explore potential pathways for dietary supplements and/or conventional foods containing CBD to be lawfully marketed, including possible changes in existing laws. The working group plans to begin sharing information and/or findings with the public as early as Summer 2019.
  • Frequently asked questions on FDA’s webpage will continue to be updated to address this subject.
  • FDA will continue to issue warning letters to companies marketing CBD products, in particular those making what FDA characterizes as “egregious and unfounded claims that are aimed at vulnerable populations.”

The FDA statement noted that products containing cannabis and cannabis derivatives (such as CBD) are currently being marketed as human drugs, dietary supplements, conventional foods, animal foods and drugs, and cosmetics, among other things. The agency pointed out that attention to these products increased after passage of the Agriculture Improvement Act of 2018 (2018 Farm Bill). The 2018 Farm Bill established “hemp” as a new classification of cannabis – and defined hemp as cannabis and cannabis derivatives with extremely low (no more than 0.3 percent on a dry weight basis) concentrations of the psychoactive compound delta-9-tetrahydrocannabinol (THC). Although the 2018 Farm Bill removed hemp from regulation under the Controlled Substances Act, Congress retained the FDA’s authority to regulate these products under the Federal Food, Drug, and Cosmetic Act and Public Health Service Act. At that time, the FDA issued a statement explaining the agency’s approach to these products.

FDA also announced that it had issued warning letters, in collaboration with the Federal Trade Commission, to three companies, alleging that they made unsubstantiated product claims on product webpages, in online stores, and on social media websites, including the purported ability to limit, treat or cure: cancer, neurodegenerative conditions, autoimmune diseases, opioid use disorder, and other serious diseases. The subject products included oils, salves, gummies, and CBD for dogs.

The FDA statement clarified the agency’s commitment to “protect consumers from companies illegally selling CBD products that claim to prevent, diagnose, treat, or cure serious diseases, such as cancer, Alzheimer’s disease, psychiatric disorders and diabetes.” This includes continuing to monitor the marketplace and taking enforcement action in these cases. At the same time, FDA emphasized the countervailing goal of “exploring an appropriate, efficient and predictable regulatory framework to allow product developers that meet the requirements under [its] authorities to lawfully market these types of products.” The FDA acknowledged in the statement that it could take “some time” to fully resolve the pathways available for dietary supplements and/or conventional foods containing CBD to be lawfully marketed.

New York Court of Appeals Upholds Thirteen-Hour Rule for Home Health Aide Pay

On March 26, 2019, the New York Court of Appeals upheld the state Department of Labor’s (the DOL) so-called “13-hour rule” governing payment of home health care aides who work 24-hour shifts. In a closely-watched decision with significant ramifications for the state’s home health industry,  New York’s highest court reversed two 2017 appellate decisions that had overturned the DOL’s  rule and caused substantial uncertainty for home health providers throughout the state.  In short, the New York Court of Appeals confirmed that New York home health care aides may be paid for 13 hours of a 24-hour shift, as long as the aides are given eight hours of sleep time (with five of those being uninterrupted hours) and three hours of meal breaks.

As background, in New York home health aides who work 24-hour shifts have been treated as “live-in employees” for purposes of New York’s Minimum Wage Order regulation (the Wage Order). Under the DOL’s interpretation of the Wage Order, employers were not required to pay an aide for each hour of a 24-hour shift as long as the aide was given up to eight hours of sleep time (with at least five of those hours uninterrupted) and three hours for meal breaks. The DOL most recently affirmed its interpretation via an opinion letter issued in March 2010, which states in pertinent part that “it is the opinion and policy of this Department that live-in employees must be paid not less than for 13 hours per 24-hour period provided that they are afforded at least eight hours for sleep and actually receive five hours of uninterrupted sleep, and that they are afforded three hours for meals.” This recognition of the 13-hour rule for live-in employees was consistent with positions taken by the DOL in previous decades. Continue Reading

Group Practice to Pay $1.85 Million Settlement Tied to Allegations of Improper Unbundled Billing

On February 25, 2019, the U.S. Department of Justice (DOJ) announced a settlement with a urology group practice to settle allegations of False Claims Act (FCA) violations tied to the alleged submission of improperly unbundled Medicare claims. The pursuit and settlement of this FCA suit by the DOJ represents at least the second recent enforcement action targeting allegations of improper unbundled billing of services to Medicare, and may therefore indicate heightened governmental interest in those billing practices. See here for our analysis of the previous unbundled billing case. Continue Reading

Department of Justice Intervenes in False Claims Act Suit, Adding Reimbursement Consultant Defendant

On February 19, 2019, the Department of Justice (DOJ) announced that it had intervened in a False Claims Act (FCA) whistleblower suit filed against Arriva Medical LLC (Arriva) and its parent that allegedly involves the submission of false claims for medically unnecessary glucometers, and alleged kickbacks to Medicare beneficiaries in the form of free glucometers and copayment waivers.  This intervention is particularly noteworthy for the fact that in addition to joining the suit, DOJ announced that it was adding a reimbursement consultant used by Arriva as a defendant to the FCA suit. Continue Reading

Department of Justice Announces Significant False Claims Act Settlements Tied to Electronic Health Records Arrangements

The Department of Justice (DOJ) recently announced two high-dollar False Claims Act (FCA) enforcement actions involving allegedly fraudulent arrangements tied to the implementation and use of electronic health record systems (EHRs). The respective settlements enable recovery by DOJ of over $100 million, and immediately precede the government’s recent proposal of new rules to promote the interoperability of EHRs. The settlements thus serve as an important reminder of the importance of adhering to federal fraud and abuse laws and regulations as hospitals and other health care providers continue to implement EHR technology. Continue Reading

LexBlog